This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
marcyn
Collaborator
Collaborator
‎2023-08-09 01:26 AM
Jump to solution

cptls_server_cn_cache table 

Hi CheckMates,

A lot of you are the Check Point's trainer.
So it is possible that you could have some doubts regarding cptls_server_cn_cache table... like me.

In CCTE book (CCTE R81.10 - page 241) we can see this:
HTTPS Filtering HTTPS Filtering allows categorization of HTTPS sites without HTTPS inspection (passive HTTPS). It uses a cache table, cptls_ server_ cn_ cache . The cache saves mapping between IP+Port to CN (certificate's Canonical Name) and a flag, if the CN is valid. This table is searched with the IP+Port of a connection to look for a CN.

So I decided to check this out .. and it looks like that's not exactly true.

In this page of CCTE book there is also image that shows how this table looks like.
In this image we can see that first two columns describe Table Key which is IP + Port, then next two describe CN, then 5th column describe "Is CN Valid?", and finally 6th coulm describes ttl (I attach this image in this case - name: ccte_page_241.png).

However I noticed that I don't have such a table without enabling full HTTPS Inspection.
Remember that regarding what we can read from CCTE book this table is used when we want to categorize HTTPS sites without using HTTPS Inspection....

Here, take a look what tables are present in my R81.20 gateway without HTTPS Inspection enabled:
[Expert@CP-GW:0]# fw tab | grep tls
-------- tls_services --------
-------- fwtls_state_map --------
-------- cptls_params_id_map --------
-------- cptls_host_name_cache --------
-------- tls_main --------
[Expert@CP-GW:0]#
As you can see there is no "cptls_server_cn_cache" table.

Now ... if I enable HTTPS Inspection I can see this table:
[Expert@CP-GW:0]# fw tab | grep tls
-------- tls_services --------
-------- fwtls_state_map --------
-------- cptls_params_id_map --------
-------- cptls_server_cn_cache --------
-------- cptls_host_name_cache --------
-------- tls_main --------
[Expert@CP-GW:0]#

In case you wonder - yes I have enabled option to categorize HTTPS sites without HTTPS Inspection in: Manage & Settings > Blades > Application Control & URL Filtering > Advanced Settings > Categorize HTTPS websites

There is more ... table cptls_server_cn_cache looks different as in CCTE book - as you can see on another image that I attach to  (my_cptls_server_cn_cache.png).

If we will take a look at "mine" cptls_server_cn_cache table it looks like this:
[Expert@CP-GW:0]# fw tab -t cptls_server_cn_cache
localhost:
-------- cptls_server_cn_cache --------
dynamic, id 7994, num ents 1, load factor 0.0, attributes: keep, sync, kbuf 2, local sync, expires 86400, , hashsize 16384, limit 45714
<12f4663e, 000001bb, d9817b43, 11be16f0; 0000001f, ab813004, 00000002, 00000000, ffffffff; 86301/86400>

How to read this ?
As you can see here we have 4 (not 2) columns before ";": 12f4663e, 000001bb, d9817b43, 11be16f0;
First one probably is IP, 2nd for sure is port 443, ... what about 3rd and 4th ?
And what about another columns: 0000001f, ab813004, 00000002, 00000000, ffffffff; Is this CN ? How to read this CN ?
Where is "Is CN valid?" ?
Last one is ttl - no doubts.

Have any of you thought about this too?

--
BR
Marcin
Preview file
24 KB
Preview file
150 KB
0 Kudos
1 Solution

Accepted Solutions
YosiHavilo
Employee
Employee
‎2023-08-15 06:41 AM
Jump to solution

before R80_20 jumbo we use only cptls_server_cn_cache

from  R80_20 jumbo we change it , and we use it like this :

Https inspection use this table :
cptls_server_cn_cache

categorize HTTPS sites (light ssl) use this table :
cptls_host_name_cache

View solution in original post

9 Replies
_Val_
Admin
Admin
‎2023-08-11 03:36 AM
Jump to solution

You should have your answers here: https://support.checkpoint.com/results/sk/sk92743

0 Kudos
marcyn
Collaborator
Collaborator
‎2023-08-11 03:48 AM
In response to _Val_
Jump to solution

Hi @_Val_ 

I know this article, unfortunately it gives no answer to my question.
In this article we can find that cptls_server_cn_cache table looks like we have in CCTE R81.10 (page 241) ... but in the real life as I wrote it looks a little bit different.
More ... here in this article we also see that this table is used for categorization without using full HTTPS Inspection.... which is also not true in real life (as I described in this post).

So, to summarize all of the above - it looks like there it simply works not as described in this SK, and as described in CCTE R81.10 book.

Or maybe I need better glasses, or something else ... 

If anyone would like to to confirm the above ... it is extremely easy - just disable HTTPS Inspection and see if you have this table on your GW. And if HTTPS Inspection is enabled ... if this table looks like we see on this SK and CCTE R81.10 book. I believe you will confirm my observation.

--
BR
Marcin

0 Kudos
_Val_
Admin
Admin
‎2023-08-11 03:57 AM
In response to marcyn
Jump to solution

What version of the software are you running? R81.10 or R81.20?

Yes, the table in your case has more attributes. It might be because you are not on R81.10. Try running 

fw tab -t cptls_server_cn_cache -f

and see if it becomes more clear

0 Kudos
marcyn
Collaborator
Collaborator
‎2023-08-11 04:07 AM
In response to _Val_
Jump to solution

Hi @_Val_ 

I'm using R81.20 ... but on R81.10 it looks the same 🙂

My question is not only about how this table should look like - but more important for me is that in this SK and CCTE it is clearly indicated that this table is used in case of passive HTTPS inspection (URL categorization without using full HTTPS Inspection) 🙂

I just need to know if this is not true - maybe it was true with old releases but no more ?

You know... if I train people I generally want to be sure that all of what I'm telling them is true 🙂

Structure of this table is also, as you can see, diferrent that we have on SK and CCTE - of course that I know what "-f" gives us here - this is completely something else that I'm asking obout here (I don't want to have more human view here, but to understand basics of this table ... as it looks different as desctibed in SK, CCTE - so what these particulat columns mean exactly).

--
BR
Marcin

0 Kudos
_Val_
Admin
Admin
‎2023-08-11 04:19 AM
In response to marcyn
Jump to solution

My personal understanding is, the table is used in both cases. However, I see your point. Let me loop some people internally, to make sure all sources of information are up to date and 100% correct.

I will get back to you once I hear from them, most probably the next week.

0 Kudos
marcyn
Collaborator
Collaborator
‎2023-08-11 04:22 AM
In response to _Val_
Jump to solution

Hi @_Val_ ,

Great, thank you - this is exacly what I wanted to achieve here - to get in touch with a person who will know who should be asked about this internally 🙂
I will wait to see what you will be able to get.
Thanks

--
BR
Marcin

0 Kudos
YosiHavilo
Employee
Employee
‎2023-08-15 06:41 AM
Jump to solution

before R80_20 jumbo we use only cptls_server_cn_cache

from  R80_20 jumbo we change it , and we use it like this :

Https inspection use this table :
cptls_server_cn_cache

categorize HTTPS sites (light ssl) use this table :
cptls_host_name_cache

marcyn
Collaborator
Collaborator
‎2023-08-16 12:11 AM
In response to YosiHavilo
Jump to solution

Hi @YosiHavilo 

Thank you for this information !

So it looks like I was right - there is an error in CCTE R81.10 book regarding this matter ..... and as far as I see the same "mistake" is in the newest R81.20 as well (at least in instructor slides, page 335 ... so I believe that the same will be in book).

So ... it's a good idea to correct this 🙂

--
BR
m.

0 Kudos
_Val_
Admin
Admin
‎2023-08-16 02:15 AM
In response to marcyn
Jump to solution

@marcyn It will be fixed in the next courseware update cycle. Relevant teams are notified.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events