CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E

 

Results 1 to 19 of 19

Thread: SSL certificates - how to stop Check Point responding to SSL

  1. #1
    Join Date
    2006-10-06
    Posts
    29
    Rep Power
    0

    Default SSL certificates - how to stop Check Point responding to SSL

    Hi, I am trying to troubleshoot an SSL problem with a https server in our DMZ, behind a Check Point SPLAT R75.20 gateway. The problem is that clients seem to be receiving a certificate from Check Point, not from the web server.
    In order to troubleshoot, I have been trying to prevent the Check Point box listening on TCP 443 at all. The WebUI is already on port 8443. I have disabled Visitor Mode. In the WebUI I have restricted Web and SSH Clients to a couple of internal networks only. And I have disabled any rules in the firewall that allow incoming port 443 to any of our servers.
    But still, when I do a certificate test of the external address of our web server, for example using the tool at SSL Certificate Tester - Check Certificates, it still gets a certificate, from the Check Point box. I look in SmartView Tracker, and I see the 443 connection being allowed under Implied Rules 0.
    I have looked in Implied Rules and nervously disabled Accept Web and SSH connections and applied the policy, but it doesn't make any difference.

    It's like there's no way to stop the gateway responding on 443?

  2. #2
    Join Date
    2007-06-04
    Posts
    3,314
    Rep Power
    18

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    I take it that you are NATting the Web Server behind the External IP of the Firewall?

    I would take a look at the box and ensure that HTTPS Inspection is not enabled on the box.
    That is a new R75.20 feature.

    That feature intercepts all https traffic through the firewall and gives a certificate from the firewall to the client.

  3. #3
    Join Date
    2006-10-06
    Posts
    29
    Rep Power
    0

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    Thanks. Correct, I am NATting from a secondary external IP address into the web server.
    I will take a look at the HTTPS Inspection feature.

  4. #4
    Join Date
    2006-10-06
    Posts
    29
    Rep Power
    0

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    OK, HTTPS Inspection has not been enabled on the gateway, so I guess it isn't that?

  5. #5
    Join Date
    2009-04-30
    Location
    Colorado, USA
    Posts
    2,252
    Rep Power
    15

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    Are you using any of the Legacy Authentication methods (User/Session/Client) in your policy? I've seen some strange interaction between the legacy authentication methods and some of the new features in R75 such as Identity Awareness. Also R75.30 contains a very large number of fixes (with no new features added). There does not appear to be a fix directly relevant to your issue but R75.30 might be worth a shot.

    Also your problem sounds somewhat similar to this:

    [FW-1] Odd http requests after upgrade to R75.20

  6. #6
    Join Date
    2006-10-06
    Posts
    29
    Rep Power
    0

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    Thanks.

    Just running Wireshark on the web server, I am seeing traffic coming from the client outside, but strangely the destination port is 444 rather than 443. The gateway is seeing the 443 stuff from the client, so something odd is happening between there and when it reaches the web server.

  7. #7
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default

    There is a feature added in R75.20 called Multiportal that cases this behavior. A number of things actually use port 443 on the local security gateway: WebUI, VPN clients, and Mobile Access Blade (among others). This is being done in the kernel and, as I recall, cannot be disabled without disabling all features that might use port 443 (and changing the port used for WebUI in SmartDashboard).

    As I recall, the plan is to provide some additional control over this feature in an upcoming release.
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  8. #8
    Join Date
    2006-10-06
    Posts
    29
    Rep Power
    0

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    I see. It doesn't seem like an unusual situation at all, to have an https server behind the gateway. If I understand you, that is not possible with R75.20 (except for kludges like using a different port number)? It worked fine on R65.

    Can NGX R65 be made to support Win-64 Endpoint Security clients?
    Last edited by hammop1; 2012-01-25 at 12:21.

  9. #9
    Join Date
    2011-06-21
    Posts
    6
    Rep Power
    0

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    You could try this.


    sk66030

  10. #10
    Join Date
    2008-05-27
    Posts
    66
    Rep Power
    13

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    I posted on this recently (Right now it's the thread under this one..) and I'm struggling with the same thing.

    After the R75 update I can't get the gateways to stop responding on 443. I've tried the recommendation in sk66030 which sounds exactly like what's going on but it does NOT help the situation at all. I've moved the SPLAT Admin portal back to 4434, ensured that the Mobile Access blade is not enabled, etc.. If I do a netstat -a |grep 443 on these boxes, I don't see anything listening on 443 but it still accepts the connection and presents a certificate to whatever is making the request.

    I don't like this behavior - I should be able to control everything on the security gateway and this seems like it's one of those things I just can't, or it should be easier to "turn off" this behavior.

  11. #11
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    I don't have access to the article. Is it about modifying implied_rules.def on the SmartCenter to comment out the directive and installing a policy? I don't remember the exact directive name but it had HTTP or HTTPS and REDIRECT in it.

    Ray

  12. #12
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    Now that I'm home and can look this up...

    Edit $FWDIR/lib/implied_rules.def on the Security Management Server. Find this line: #define ENABLE_PORTAL_HTTP_REDIRECT and comment it out. After the change should look like:

    /* #define ENABLE_PORTAL_HTTP_REDIRECT */

    Reinstall the Security Policy.

    As I said (and can confirm now) this should be addressed in a future release.

    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  13. #13
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    SET RANT MODE ON

    This issue really set me off on my R75.20 upgrade because it would have caused us to fail a pen test. The problem is that the certificate is signed with a common name that is an IP address and it's the IP address of the management interface.

    Now I have to remember to undo it before any patches or upgrades because the manually updated .def file might cause issues when they are not updated.

    Are they also going to fix the fact that there is no implied rule in the GUI that shows this open port exists? That was the biggest surprise; that I cannot rely on the GUI to tell me what ports are open.

    And that some implied rules show LONDON GATEWAY when there is no such object in my rulebase?

    SET RANT MODE OFF

    Someone there is getting very sloppy for these issues, particularly LONDON GATEWAY, to have gotten through development, test and QA.

    Ray

  14. #14
    Join Date
    2005-08-14
    Location
    Gig Harbor, WA, USA
    Posts
    2,494
    Rep Power
    17

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    Quote Originally Posted by RayPesek View Post
    This issue really set me off on my R75.20 upgrade because it would have caused us to fail a pen test. The problem is that the certificate is signed with a common name that is an IP address and it's the IP address of the management interface.
    This is the most common complaint I've heard about the Multiportal feature.

    The rationale behind the feature is reasonable, i.e. let multiple things use the port depending on the circumstances. This (overall) minimizes the number of ports you need to keep open to support the various features and is thought to be relatively safe.

    You can either disable or set various portals to use only the internal interface today (e.g. WebUI, Mobile Access Blade, User Check, DLP) as well as change WebUI to a different port (note this has been moved into SmartDashboard). The problem is that even if you do that, Multiportal will still be active unless you do the implied_rules.def hack.

    A future version will eliminate the need to do the implied_rules.def hack so that either disabling the various portals or setting them to only internal interfaces will not cause the gateway to answer queries on port 443. Not so sure about how it will show up in the implied rules...
    http://phoneboy.org
    Unless otherwise noted, views expressed are my own

  15. #15
    Join Date
    2006-10-06
    Posts
    29
    Rep Power
    0

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    Thanks for the further suggestions.

    I am being told that all I need to do is remove the explicit secondary IP address definition from my external interface, revert to automatic NAT for the HTTPS server in the DMZ, and leave it up to the gateway to do the proxy ARP magic (and wait for the upstream router to refresh its ARP cache). This is how it was configured before, on R65, but when I did the upgrade it stopped working. So I tried configuring the secondary external address, along with some manual NAT rules. It seemed to fix the problem at first, but apparently it was the wrong thing to do. With the explicit secondary IP address, an R75.20 gateway intercepts the 443 traffic as if it were its own.

    I won't be able to test and confirm this theory until next week, though.

  16. #16
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    I don't think it's going to buy you a thing. We've never used secondary addresses and use automatic NAT only. We also had none of the portals enabled on R70 yet when we did the upgrade to R75.20, there it was.

    A posting on the CP forum did note there was some kind of problem with SmartConsole that could also cause this but no elaboration was given..

    Ray

  17. #17
    Join Date
    2008-05-27
    Posts
    66
    Rep Power
    13

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    Quote Originally Posted by PhoneBoy View Post
    Now that I'm home and can look this up...

    Edit $FWDIR/lib/implied_rules.def on the Security Management Server. Find this line: #define ENABLE_PORTAL_HTTP_REDIRECT and comment it out. After the change should look like:

    /* #define ENABLE_PORTAL_HTTP_REDIRECT */

    Reinstall the Security Policy.

    As I said (and can confirm now) this should be addressed in a future release.

    I can confirm that this worked for me on R70.30. Am I happy that this is resolved for the time being? Yes. Am I happy I had to jump through these hoops? Not at all.

  18. #18
    Join Date
    2006-10-06
    Posts
    29
    Rep Power
    0

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    Update:

    Removing the explicit secondary IP address definition from my external interface and reverting to automatic NAT did not fix the problem, at least not by itself.

    However, I found that disabling Automatic ARP Configuration in Global Properties/NAT, manually creating the file $FWDIR/conf/local.arp with the line
    <IP address> <MAC address>
    and then rebooting did resolve the problem.

    I didn't have to modify implied_rules.def .

    (credit to Add proxy arp on Checkpoint SPLAT | robertomurray.co.uk for this solution).

    It seems to me that Automatic ARP Configuration simply doesn't work under SPLAT? (before upgrade, this box was not running SPLAT, and Auto ARP worked fine).

  19. #19
    Join Date
    2006-03-19
    Location
    Northern Ohio
    Posts
    1,386
    Rep Power
    16

    Default Re: SSL certificates - how to stop Check Point responding to SSL

    Maybe you just worked around the same problem in a different way. Remember that Hide NAT applies to every interface on a Check Point firewall, which can lead to some interesting problems by itself. Maybe you just broke the NAT connection between the interface with the certificate and the others.

    Automatic ARP seems fine. I've never had it fail on SPLAT. We switched from IPSO to SPLAT starting with R65 when our Nokia boxes were too old.

    I have precisely one local.arp entry for an oddball requirement. We use Tripwire Enterprise to monitor the running-config and startup-config settings on the Internet routers, the ones between the firewalls and the ISP. Because we have multiple Internet connections on multiple ISPs but only one Tripwire server, we needed to give the Tripwire server multiple public IP addresses, one on each ISP's subnet.

    Automatic ARP can't handle setting multiple public IP addresses for a single host on different subnets on different firewalls. So I use a local.arp entry on each firewall to set up its Tripwire public IP address. Only one firewall uses the Automatic NAT setting.

    I don't have access to the firewalls right now but it does not take a reboot for the local.arp setting to take effect. You do have to check a box about merging local.arp with automatic NAT or something. Once you check that box, a policy installation makes it work.

    Ray
    Last edited by RayPesek; 2012-02-04 at 12:03.

Similar Threads

  1. Importing certificates for SSL vpn?
    By jmcgrady in forum IPsec VPN Blade (Virtual Private Networks)
    Replies: 3
    Last Post: 2011-03-31, 21:40
  2. Check Point SSL Network Extender on OSX 10.5 Problem!!!
    By talkincricket in forum SNX - SSL Network Extender
    Replies: 0
    Last Post: 2009-05-29, 04:57
  3. Replies: 2
    Last Post: 2008-11-20, 02:20
  4. LDAP Server SSL connection failed ckpSSL ssl lib error.
    By crucial in forum SmartDirectory/LDAP/Active Directory
    Replies: 3
    Last Post: 2007-09-01, 03:42
  5. Error initialing SSL certificates
    By manfernandez in forum Miscellaneous
    Replies: 0
    Last Post: 2006-02-15, 13:39

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •