This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
KM1895
Collaborator
Collaborator
‎2023-09-15 03:36 AM

HTTPS Inspection issues

 

hi,

 

A customer i am assisting, have started testing https inspection. 

As usual, they have only added a few servers for testing purposes in their https inspection policy, but here is where the issue occurs.

 

When they activate it, we see that traffic that isnt included in the rules are still subject to inspection, and so we have had to create a lot of exception rules, that shouldnt have been there.

Why would this happen?

I  have done this several times before, but never seen this issue before.

The inspection is for outbound traffic, and the traffic we have seen beeing stopped is traffic going over vpn to their central datacenter.

The exception fixed this as a workaround, but i am curious as to why we would need to do this in the first place, as the rules doesnt include the traffic being stopped?

 

environment is R81.10.

Labels
0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2023-09-15 08:16 AM

Without seeing the exact rules in question…difficult to say.
I suspect your initial rules were overly broad.
Screenshots of the rules in question would be helpful.

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-09-15 01:29 PM

Sounds like to you tried to use a Service and/or Destination of "Any" in your HTTPS Inspection policy which you should never do, they should be "HTTPS Default Services" and object "Internet" (not All_Internet), respectively.  

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
0 Kudos
KM1895
Collaborator
Collaborator
‎2023-09-18 04:25 AM
In response to Timothy_Hall

hi,

 

Thanks for the input. I went over the rules again, and they are quite limited.

The source is just a few servers, and destination is set to Internet, with the https default services chosen,

So there is no real logic as to why servers not added is subject to https inspection.

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
‎2023-09-18 09:30 AM
In response to KM1895

Check your firewall/cluster topology and make sure it is complete and correct to ensure that the object Internet will match traffic properly in your HTTPS Inspection Policy, mainly:

1) The External interface is properly defined 

2) Note that selecting the "Interface leads to DMZ" checkbox on an interface will cause traffic heading for that interface to match object Internet as well, even though that interface's topology is defined as Internal

3) Make sure all interfaces are present in the defined topology, including all VLAN tag subinterfaces in use.  Traffic heading to interfaces missing from the topology definition will match object Internet as well.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
the_rock
MVP Platinum
MVP Platinum
‎2023-09-18 09:47 AM

Happy to assist via remote if you are able to. I have lots of experience with https inspection, as I had spent probably close to 200 hours or more troubleshooting it in the last 3 years or so.

You can always message me directly.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events