CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.


Tim Hall has done it again! He has just released the 2nd edition of "Max Power".
Rather than get into details here, I urge you to check out this announcement post.
It's a massive upgrade, and well worth checking out. -E

 

Results 1 to 4 of 4

Thread: HTTPS inspection bypass not working as expected

  1. #1
    Join Date
    2015-03-31
    Posts
    36
    Rep Power
    0

    Default HTTPS inspection bypass not working as expected

    Hi Team,

    We are running our firewall in Gaia R77.30 with Application & URL filtering and HTTPS inspection enabled with it. We have a requirement of installing Carbon black antivirus in our environment in place of Mcafee. A little backgroung about carbon black, unlike Mcafee there will be no centrailized control for carbon black where the EPO will download the update and push to the clients. Here in Carbon black agents running in a every single server will commnicate with cloud for signature update. Carbon black is not suppporting HTTPS inspection and the communcation is failing if we do not bypass the server. Is there any way to bypass only the carbon black and inspect other traffic from the same server.
    I tried the following methods:-
    1. Added all the required URLS and application in the site category.
    Result: When it reached the URL it shows the following error message "Client has not installed CA certificate"
    2. Added the carbon black public IP's in Destination column.
    Result: Seems to be working. but not able to collect the public IP's on all the time as it is dynamic

    Need a solution as we cannot bypass entire environment from HTTPS inspection

    Regards,
    Ram T S

  2. #2
    Join Date
    2011-08-02
    Location
    http://spikefishsolutions.com
    Posts
    1,615
    Rep Power
    8

    Default Re: HTTPS inspection bypass not working as expected

    Have you looked at the cert its using? Could you match that on a allow for in your https inspection policy?

  3. #3
    Join Date
    2007-03-30
    Location
    DFW, TX
    Posts
    219
    Rep Power
    12

    Default Re: HTTPS inspection bypass not working as expected

    What SmartCenter and firewall version are you using? R80-family versions have a new form of domain object which doesn't have nearly the performance impact of old domain objects. Old domain objects would cause the firewall to look up the domain every time a connection hit that rule in the rulebase, and the connection would be suspended until it got a response (or timed out). This, of course, causes an obscene latency hit.

    I gather new domain objects (I can't remember the actual term involved) are more like dynamic objects with a background lookup process. The firewalls look up the domain regularly and use the responses to populate a dynamic object table. The rule then references that table instead of waiting on a DNS lookup. Gives you the flexibility of matching by domain, but with a performance hit which is immeasurably small under normal circumstances.



    As an aside, this is why I can't stand "cloud" stuff. When your antivirus vendor and virusbiz.bg both run on AWS, it becomes effectively impossible to tell the difference between them. You can't retroactively look up what your AV vendor's domain resolved to last week, so traffic logs become completely worthless as a forensic tool.

    Security vendors should be taking this more seriously. If they can't manage their own infrastructure well enough to have stable public IPs, how could I possibly trust them to manage anything in mine?
    Zimmie

  4. #4
    Join Date
    2012-08-16
    Posts
    177
    Rep Power
    6

    Default Re: HTTPS inspection bypass not working as expected

    Yeah, that's a tough one as the only way to bypass a self-signed cert (Carbon Black, whoever) in R77.30 is to create an HTTPS bypass like you did for #2. But then you need support for dynamic objects which doesn't work in R77.30. I hear Palo Alto has minemeld. :) Or a reason to upgrade to R80.

Similar Threads

  1. HTTPS Bypass - RedHat Yum updates failing
    By ewilliams79 in forum Application Control Blade
    Replies: 1
    Last Post: 2016-08-17, 10:32
  2. Static NAT, App CTRL and HTTPs inspection not working in VBOX-GNS3 LAB setup
    By allwynmascar in forum NAT (Network Address Translation)
    Replies: 1
    Last Post: 2016-02-24, 11:34
  3. SSL bypass/inspection with a commercial certificate.
    By ravasquez in forum Application Control Blade
    Replies: 2
    Last Post: 2015-07-19, 20:34
  4. URL filtering, HTTPS Inspection, HTTP/HTTPS Proxy
    By bhavinjbhatt in forum R75.40 (GAiA)
    Replies: 0
    Last Post: 2015-07-07, 13:33
  5. HTTPS bypass
    By aweldon in forum Application Control Blade
    Replies: 12
    Last Post: 2015-02-24, 19:03

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •