Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
mp2012
Contributor

inbound https inspection workin partially only?

Hello,

 

I see following behaviour:

  • https inspection inbound to a webserver -->  uploading eicar av test file --> prevented : fine
  • https inspection inbound to a exchange server --> uploading eicar av test file (just a mail via web ui) --> not detected 
  • both got rules with dest  server cert imported, both log as inspected traffic

any ideas?

That is on 81.10 IPS/AV/antibot.

 

kind regards,

 

 

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin

Can you confirm HTTPS Inspection was done on the entire communication?
Also, is Mobile Access Blade involved with Exchange?

0 Kudos
mp2012
Contributor

Hello,

I tested the less complex scenario via Client/Browser accessing the outlook web app, so only one destination fqdn and ip address (the VIP) is involved.

mobile aacess blade not involved.

 

kind regards,

mp2012

 

0 Kudos
(1)
PhoneBoy
Admin
Admin

Please confirm yes or no that you are using Mobile Access Blade because your answer is unclear on this fact.
Also, you say the VIP is used, does that mean you are using NAT to expose your Exchange server via the Cluster IP?

In the past, we've had EICAR not flagged in specific circumstances:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
It might be worth a TAC case. 

0 Kudos
mp2012
Contributor

Hello,

 

sorry misunderstood. So yes, Mobile Access Blade is enabled and active on this gateway. 

Complete communication path that is:

external client --> perimeter gw with https inspection rule --> Load Balancer VIP rev.proxy --> reverse proxy servers -->  Load Balancer VIP exchange --> exchange servers

maybe goin to remove the rev.proxy setup if we're satisfied withe the https decryption setup.

Same setup works on sharepoint, but surprisingly its blocked as "Trojan.Win32.Mitaka.TC.a"

 

kind regards,

mp2012

0 Kudos
PhoneBoy
Admin
Admin

If you're using Mobile Access Blade, HTTPS Inspection isn't relevant as the connection is terminating on the gateway anyway.
It also change the inspection flow a bit and what blades are supported.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

AV should be supported, though, which means EICAR should be flagged.
What version/JHF is the gateway?

0 Kudos
mp2012
Contributor

Hi,

 

I mean Mobile Access Blade is enabled on this gateway, but not used in this scenario (thats why i mentioned ist as "not involved" in my initial post).

GW running 81.10 Take66.

 

 

 

0 Kudos
PhoneBoy
Admin
Admin

Ok.
I think your best bet here is to involve the TAC.
Under certain conditions that may not be relevant anymore, EICAR was not flagged as malicious.
I don't think these conditions apply anymore, though, as they are for older versions running Traditional AV.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events