https and static NAT in Checkpoint NG R55

[jgarrote]

Hi all,

We want to protect our web server (apache) in a DMZ using static NAT from
Checkpoint NG R55, and SSL connections doesn't not work.

We have created two rules in the CP policy (for http and https protocol)
and two nodes (host) named "svr-WEB-DMZ" and "svr-WEB-Inet". Also we have
configured the Web server and we have created one SSL certificate.

External access to web server using HTTP, works fine, but using HTTPS the
firewall rejects the connection and the following message appears in FW
log: "Illegal LF-CR combination in HTTP header".

Finally we have configured web server without FW protection to test the
apache configuration, with a new SSL certificate, and both connections
(HTTP and HTTPS) works fine, thus we think the problem is the firewall
configuration.

Any suggestions or comments are welcome. Thanks in advance.

Jesus Garrote

[intehnet]

you shouldn't need 2 objects for the one webserver, just one object and define the static nat for it within that object

make sense?

[Lackie]

Verify that the HTTPS service --> Edit --> Advanced --> Protocol Type: --> Is set to ENC-HTTP.

Alternatively verify that SmartDefense --> Application Intelligence --> Web --> General HTTP Worm Catcher is unchecked.

[mkoszler]

Have you tried applying the latest hotfixes to both management and enforcement modules? Had an issue with 500 user licenses whereby they wouldnt NAT with the licenses installed, but worked fine either with no license or an eval.