This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
mp2012
Contributor
‎2022-10-26 04:21 AM

inbound https inspection workin partially only?

Hello,

 

I see following behaviour:

  • https inspection inbound to a webserver -->  uploading eicar av test file --> prevented : fine
  • https inspection inbound to a exchange server --> uploading eicar av test file (just a mail via web ui) --> not detected 
  • both got rules with dest  server cert imported, both log as inspected traffic

any ideas?

That is on 81.10 IPS/AV/antibot.

 

kind regards,

 

 

 

0 Kudos
7 Replies
PhoneBoy
Admin
Admin
‎2022-10-26 09:10 AM

Can you confirm HTTPS Inspection was done on the entire communication?
Also, is Mobile Access Blade involved with Exchange?

0 Kudos
mp2012
Contributor
‎2022-10-26 09:22 PM
In response to PhoneBoy

Hello,

I tested the less complex scenario via Client/Browser accessing the outlook web app, so only one destination fqdn and ip address (the VIP) is involved.

mobile aacess blade not involved.

 

kind regards,

mp2012

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-27 09:35 AM
In response to mp2012

Please confirm yes or no that you are using Mobile Access Blade because your answer is unclear on this fact.
Also, you say the VIP is used, does that mean you are using NAT to expose your Exchange server via the Cluster IP?

In the past, we've had EICAR not flagged in specific circumstances:
https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 
It might be worth a TAC case. 

0 Kudos
mp2012
Contributor
‎2022-10-27 10:36 AM
In response to PhoneBoy

Hello,

 

sorry misunderstood. So yes, Mobile Access Blade is enabled and active on this gateway. 

Complete communication path that is:

external client --> perimeter gw with https inspection rule --> Load Balancer VIP rev.proxy --> reverse proxy servers -->  Load Balancer VIP exchange --> exchange servers

maybe goin to remove the rev.proxy setup if we're satisfied withe the https decryption setup.

Same setup works on sharepoint, but surprisingly its blocked as "Trojan.Win32.Mitaka.TC.a"

 

kind regards,

mp2012

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-27 10:54 AM
In response to mp2012

If you're using Mobile Access Blade, HTTPS Inspection isn't relevant as the connection is terminating on the gateway anyway.
It also change the inspection flow a bit and what blades are supported.
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... 

AV should be supported, though, which means EICAR should be flagged.
What version/JHF is the gateway?

0 Kudos
mp2012
Contributor
‎2022-10-27 11:33 AM
In response to PhoneBoy

Hi,

 

I mean Mobile Access Blade is enabled on this gateway, but not used in this scenario (thats why i mentioned ist as "not involved" in my initial post).

GW running 81.10 Take66.

 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-10-27 12:19 PM
In response to mp2012

Ok.
I think your best bet here is to involve the TAC.
Under certain conditions that may not be relevant anymore, EICAR was not flagged as malicious.
I don't think these conditions apply anymore, though, as they are for older versions running Traditional AV.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top