Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Saranya_0305
Participant

Clarification on IPS, Anti-Bot, and Anti-Virus Blades Functionality with and without HTTPSInspection

Dear Team,

I am having a Window Client machine accessing https://abc.com and my checkpoint firewall is default gateway. So in this scenario if I download/upload any malicious file without HTTPS Inspection is my Checkpoint firewall will prevent ?

I have observed that some customers are using the IPS, Anti-Bot, and Anti-Virus blades without enabling HTTPS Inspection. Could you please explain how these blades operate in such a scenario?

Specifically, I would like to understand the following scenarios:

Scenario 1:

HTTPS Inspection - Disabled
IPS, Anti-Bot, and Anti-Virus - Enabled

Scenario 2:

HTTPS Inspection - Enabled
IPS, Anti-Bot, and Anti-Virus - Enabled

Could you kindly explain the operation of these blades in both scenarios and the impact on their performance and detection capabilities?

Thank you for your insights.

@Saranya_0305 

0 Kudos
8 Replies
G_W_Albrecht
Legend Legend
Legend

0 Kudos
Chris_Atkinson
Employee Employee
Employee

As a basic example some of these blades have protection elements based on either DNS or IP reputation (examples) which don't necessarily require the full decryption of HTTPS traffic, others may also leverage SNI analysis.

Prevention rates are obviously improved for HTTPS traffic scenarios with TLS inspection, this process has performance overheads by comparison however so gateway sizing is important.

Depending upon the role of the gateway enabling HTTPS inspection is recommended for best security, note QUIC inspection is also supported with R82.

CCSM R77/R80/ELITE
0 Kudos
Lesley
Leader Leader
Leader

I agree with this. I advise customers always to do https inspection because the gateway is missing out on a lot of data. Sure it still can do security but it is limited. More and more data is encrypted. Like now that almost all websites run https

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
CheckMatesAI

This answer is provided by Infinity AI Copilot and should be confirmed by reviewing official documentation in Support Center.

Certainly! Let's explore how the IPS, Anti-Bot, and Anti-Virus blades function with and without HTTPS Inspection in the two scenarios you mentioned:

Scenario 1: HTTPS Inspection Disabled, IPS, Anti-Bot, and Anti-Virus Enabled

  • Functionality: Without HTTPS Inspection, the Check Point Security Gateway cannot decrypt HTTPS traffic. This means that the IPS, Anti-Bot, and Anti-Virus blades can only inspect the unencrypted parts of the traffic, such as the initial handshake and metadata. They cannot inspect the actual content of the HTTPS traffic.
  • Impact on Detection: The detection capabilities are limited because the blades cannot see the encrypted payload. Malicious files or activities hidden within HTTPS traffic may not be detected.
  • Performance: Since the traffic is not decrypted, there is less processing overhead, resulting in better performance.

Scenario 2: HTTPS Inspection Enabled, IPS, Anti-Bot, and Anti-Virus Enabled

  • Functionality: With HTTPS Inspection enabled, the Security Gateway can decrypt HTTPS traffic, allowing the IPS, Anti-Bot, and Anti-Virus blades to inspect the full content of the traffic. This enables comprehensive threat detection and prevention.
  • Impact on Detection: The detection capabilities are significantly enhanced as the blades can analyze the entire content of the traffic, including any malicious files or activities that were previously hidden.
  • Performance: Enabling HTTPS Inspection introduces additional load on the Security Gateway's CPU and RAM due to the decryption and re-encryption processes. However, Check Point's R82 release offers improved performance and simplified deployment for HTTPS Inspection, ensuring minimal impact on user experience.

For optimal security, it is recommended to enable HTTPS Inspection to fully leverage the capabilities of the IPS, Anti-Bot, and Anti-Virus blades. You can find more details on HTTPS Inspection best practices in the Check Point documentation.

If you have any further questions or need assistance with configuration, feel free to ask!

(1)
the_rock
Legend
Legend

Here is the most logical explanation I can give you. By the way, super VALID question. So say you have all those blades enabled, but no ssl inspection. Yes, it will do its job, but you will miss out, because without ssl inspection, all you will really be able to tell if that say someone went to facebook, but you have no idea what they did while there.

With ssl inspection, you can get all of that data.

HTTPS Inspection means GW is terminating TLS connections, decrypts them on a client side and re-encrypt to the server. This allows inspecting the data flow, applications behaviour, and content sent through TLS tunnel with multiple blades: IPS, AVI, AB, etc.

Plus, considering that probably 99% of websites nowdays are https (just my educated guess), it only makes sense to have https inspection enabled. Also, with R81.20 version, I find it works very well, no issues.

Hope that helps.

Andy

the_rock
Legend
Legend

@Saranya_0305 Does that sort of makes sense? If still not clear, let me know, I have good lab with ssl inspection enabled, so can show you.

Andy

0 Kudos
Saranya_0305
Participant

@the_rock This makes sense, but it would be helpful to understand it better if you could provide a detailed explanation, possibly with a lab demonstration.

Sai

0 Kudos
the_rock
Legend
Legend

I dont have video on it, sorry, but you can follow below guide I made to make your own lab, then you can test anything needed.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-lab-guide/m-p/214429#M40929

 

Or, you can watch below from youtube.

https://www.youtube.com/watch?v=NCvV7-R9ZgU&pp=ygUcY2hlY2sgcG9pbnQgaHR0cHMgaW5zcGVjdGlvbg%3D%3D

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events