In This Section: |
Check Point Data Loss Prevention is a Software Blade. It needs connectivity to a Security Management Server and a SmartDashboard. A Check Point gateway or a DLP-1 appliance is necessary for DLP.
In a dedicated DLP gateway deployment, Check Point recommends that you have a protecting Security Gateway in front of the DLP gateway.
The environment must include a DNS.
Important - Before installing DLP, we recommend that you review the requirements and supported platforms for DLP in the R77 Release Notes. |
For instructions on how to install and do the initial configuration of the DLP gateway, see the R77 Installation and Upgrade Guide.
The DLP Software Blade has a 30 day trial license.
To activate the trial license:
During the trial period, when you install a policy on the DLP gateway, a warning message shows how many days remain until the trial license expires.
After the trial period, you must install a full DLP Software Blade license. If you do not, the DLP Software Blade stops working, and a policy cannot be installed on the DLP gateway. You must unselect the DLP Software Blade, and then you can install a policy on the gateway.
You can use the SmartDashboard toolbar to do these actions:
Icon |
Description |
---|---|
Open the SmartDashboard menu. When instructed to select menu options, click this button to show the menu. For example, if you are instructed to select Manage > Users and Administrators, click this button to open the Manage menu and then select the Users and Administrators option. |
|
Save current policy and all system objects. |
|
Open a policy package, which is a collection of Policies saved together with the same name. |
|
Refresh policy from the Security Management Server. |
|
Open the Database Revision Control window. |
|
Change global properties. |
|
Verify Rule Base consistency. |
|
Install the policy on Security Gateways or VSX Gateways. |
|
Open SmartConsole. |
You can enable the DLP Software Blade as one of the Software Blades on a Security Gateway. This is known as an integrated DLP deployment. In R75 and higher, you can also enable a DLP Software Blade on a ClusterXL in High Availability mode or Full High Availability mode on a UTM-1 appliance or 2012 Appliance models. In a dedicated DLP gateway, the Data Loss Prevention Software Blade is enabled on a gateway (or a ClusterXL Security Cluster) and no other Network Security Software Blade is enabled.
Note - The DLP Software Blade (as a dedicated gateway or in an integrated Security Gateway) can work as part of a ClusterXL Load Sharing cluster only when the policy contains DLP rules that use the Detect, Inform, or Prevent actions. The Ask DLP action is not supported for ClusterXL Load Sharing. |
In version R75.20 and higher, you can also configure a ClusterXL High Availability cluster of dedicated DLP-1 appliances.
Important - A dedicated DLP gateway does not enforce the Firewall Policy, Stateful Inspection, anti-spoofing or NAT. Check Point recommends that you place it behind a protecting Security Gateway or firewall. |
In a DLP gateway cluster, synchronization happens every two minutes. Therefore, if there is a failover, the new active member may not be aware of DLP incidents that happened in the two minutes since the failover.
To configure a DLP-1 appliance, see the DLP-1 Getting Started Guide.
In an integrated deployment you can:
To enable DLP on an existing Security Gateway or cluster:
In the ClusterXL page, select High Availability New mode or Load Sharing. Note that you can use Load Sharing if the DLP rules use the Detect, Prevent, or Inform actions.
Note - On a Security Cluster, this enables the DLP blade on every cluster member. |
The Data Loss Prevention Wizard opens.
To configure a new DLP gateway or Security Cluster:
Make sure the selections comply with the platform requirements for your deployment in the R77 Release Notes.
Note - On a Security Cluster, this enables the DLP blade on every cluster member. |
The Data Loss Prevention Wizard opens.
These are the configuration options in a dedicated deployment environment:
To configure a dedicated DLP gateway on an existing Security Gateway or Security Cluster:
When you clear the Firewall Software Blade, a warning message shows.
You are about to turn off the Firewall blade, with only the DLP blade left on.
Therefore, this Security Gateway will not enforce the security policy.
It is recommended to place this Security Gateway behind a firewall.
Are you sure you want to continue?
To configure a dedicated DLP gateway or cluster on a locally managed DLP-1 appliance:
For a locally managed gateway, the Data Loss Prevention Wizard opens.
For a locally managed cluster, the DLP-1 Cluster Wizard opens.
To configure a dedicated DLP gateway or cluster on a centrally managed DLP-1 appliance:
Before you define a DLP Security Cluster:
Use the Security Cluster wizard in SmartDashboard to create a cluster for two DLP-1 gateways. With the wizard you set the name of the cluster object, the name and IP address of the secondary cluster member and configure the topology for the gateways' interfaces.
There is a Cluster Topology page for each of the network interfaces that have been configured for the cluster members. In this page you define whether a network interface participates in the cluster. If the interface is part of the cluster, you must define a virtual IP address for the cluster. This IP address is visible to the network and makes sure that failover events are transparent to all hosts in the network. If the interface is not part of the cluster, the interface is a not-monitored private interface.
To configure a locally managed DLP-1 Security Cluster:
The Security Cluster wizard opens.
The Cluster General Properties page opens.
The Cluster Secondary Member page opens.
The Cluster Topology page opens.
The Data Loss Prevention Wizard opens.
If the Mail Server is a Microsoft Exchange server, set the Exchange server to be an SMTP Relay for this newly created DLP gateway.
After you complete the wizard for a DLP gateway of any platform, enable the Software Blade and Install Policy.
DLP by default scans traffic from internal networks to external networks, so you must properly define the DLP gateway interfaces as internal or external. You can do this when you define My Organization in the Data Loss Prevention tab of SmartDashboard.
On a dedicated DLP gateway, only the DLP Policy is installed. This is not a security policy. Make sure you have another Security Gateway in the environment to enforce the Security Policy.
When setting up a dedicated DLP gateway, Check Point recommends that you configure the DLP gateway as a bridge, so that the DLP gateway is transparent to network routing.
You can deploy DLP in bridge mode, with the requirements described in this section for routing, IP address, and VLAN trunks.
Note the current limitations:
There must be routes between the DLP gateway and the required servers:
There must be a default route. If this is not a valid route, it must reach a server that answers ARP requests.
If UserCheck is enabled, configure routing between the DLP gateway and the network.
The bridge interface can be configured without an IP address, if another interface is configured on the gateway that will be used to reach the UserCheck client and the DLP Portal.
If you do add an IP address to the bridge interface after the Security Gateways are started, run the
and cpstop
commands to apply the change.cpstart
You can configure the DLP gateway to access a Microsoft Active Directory or LDAP server to:
If you run the wizard from a computer in the Active Directory domain, the Data Loss Prevention Wizard will ask for your Active Directory credentials to create the LDAP account unit automatically. You can run the wizard again from a computer in the Active Directory domain to create the LDAP account unit.
To configure DLP to use Active Directory LDAP:
You are not required to enter credentials with administrator privileges. We recommend that you create an Active Directory account that is dedicated for use by Check Point products to connect to Active Directory.
If you have multiple Active Directory servers:
The DLP Wizard asks for Active Directory credentials only if no LDAP account unit exists. If you already have an LDAP account unit, the wizard does not ask for your credentials. To create the LDAP account unit from the DLP Wizard, delete the existing LDAP account unit and run the wizard again.
Note - If you configure the LDAP Account Unit manually, with the username and password authentication method, you must set the Default Authentication Scheme to Check Point Password. |
If you need more LDAP account units, you can create the LDAP account unit manually. See the R77 Security Management Administration Guide.
If you run the DLP Wizard from a computer that is not part of the Active Directory domain, you can run it again from a computer in the Active Directory domain to create the LDAP account unit.
To run the Data Loss Prevention Wizard again:
The Data Loss Prevention Wizard starts.
You can use a Web Proxy server or servers for HTTP and HTTPS traffic. If you want the DLP gateway to scan this traffic, you must configure the DLP gateway.
Note - You can enable HTTPS Inspection on the gateway to scan HTTPS connections. |
Use these procedures if the proxy or proxies are between the DLP gateway and the Internet, or in a DMZ. If a proxy is in a DMZ, we recommend that you use the DLP gateway to scan the HTTP traffic between the user network and the proxy in the DMZ.
Configuring an R75 or higher DLP Gateway for Web Proxies
If you have one Web proxy server between the DLP gateway and the Internet, use either Procedure 1 or Procedure 2.
If you have more than one proxy between the DLP gateway and the Internet, use Procedure 2.
If you configure both Procedure 1 and Procedure 2, the DLP gateway drops HTTP and HTTPS traffic sent to any web proxy that is not specified in Procedure 1.
Procedure 1
DLP only scans traffic to the specified web proxy.
Procedure 2
Configuring a Pre-R75 DLP Gateway for a Web Proxy
For a pre-R75 DLP gateway, if you have one Web proxy between the DLP gateway and the Internet, use Procedure 1.
If you have more than one Web proxy, put the DLP gateway between the proxies and the Internet.
If the DLP gateway is between the Web (HTTP) proxy server or servers and the Internet, use these procedures.
Configuring the DLP Gateway for an Internal Web Proxy
Configuring the Proxy Server to Allow UserCheck Notifications
If the DLP gateway is between the Web proxy server or servers and the Internet, all packets through the DLP gateway have the source IP address of the proxy server. Therefore, the DLP gateway cannot know the real IP address of the client that opens the original connection to the proxy server. This means that the DLP gateway cannot identify the user, and therefore cannot:
To make it possible for the DLP gateway to identify the user, you must configure the proxy server to reveal the IP address of the client. The proxy server does this by adding the
header to the HTTP header. For details, see the proxy server vendor documentation.x-forwarded-for
For a Security Management server that is upgraded from R70 and lower, traffic that passes through a DLP gateway to a web proxy server contains the gateway's IP as the source address instead of the original client IP address. For new installations and for installations that were upgraded from R71, the original client IP address is used.
If the traffic that contains the gateway's IP as source address reaches another Security Gateway which either logs traffic or enforces access based on identity, the source IP address does not represent the user's IP address.
To use the client's IP address as source address for the traffic leaving the DLP gateway:
C:\Program Files\CheckPoint\SmartConsole\R77\PROGRAM\GuiDBedit.exe
http_unfold_proxy_conns
attribute to true
.DLP rules have different action settings.
Action |
Description |
---|---|
Detect |
The data transmission event is logged in SmartView Tracker. Administrators with permission can view the data that was sent. The traffic is passed. |
Inform User |
The transmission is passed, but the incident is logged and the user is notified. |
Ask User |
The transmission is held until the user verifies that it should be sent. A notification, usually with a remediation link to the Self Incident Handling portal, is sent to the user. The user decides whether the transmission should be completed or not. The decision is logged and can be viewed under the User Response category in a SmartView Tracker log entry. Administrators that have full permissions or the View/Release/Discard DLP messages permission can also decide if to send or discard the message. |
Prevent |
The data transmission is blocked. |
Watermark |
Tracks outgoing Microsoft Office documents (Word, Excel, or PowerPoint files from Office 2007 and higher) by adding visible watermarks or invisible encrypted text. |
When you set Data Owners to be notified, a mail server becomes a required component of the DLP system.
The DLP gateway sends mail notifications to users and Data Owners, therefore it is necessary for the gateway to access the mail server as a client.
Important -
|
Configuring the Mail Relay for Anonymous SMTP Connections
Configure the mail server without authentication in the Data Loss Prevention Wizard. Alternatively:
Configure the mail relay to accept anonymous connections from the DLP gateway. For details, consult the vendor documentation. For example, on Microsoft Exchange Servers, configure the permissions of the default receive connector (or other relevant connector that handles SMTP traffic) for anonymous users.
Configuring the Mail Server object for Authenticated SMTP Connections
Configure the mail server with authentication in the Data Loss Prevention Wizard. Alternatively:
In the Data Loss Prevention tab, expand Additional Settings and select Mail Server.
If the mail server does not exist, create it.
Configure the mail server to accept authenticated connections from the DLP gateway. For details, consult the vendor documentation. For example, on Microsoft Exchange Servers, configure the default receive connector (or other relevant connector that handles SMTP traffic) for basic authentication.
A specific configuration is required for a dedicated DLP gateway if these are all true:
If this is true, configure the DLP gateway to recognize the mail server as internal to My Organization and the relay in the DMZ as external.
To configure the DLP and Relay in the DMZ:
The Networks and Hosts window opens.
If the Internal Mail Server is already defined as a Check Point network object, select it from the list.
Otherwise, click New and define it as a Host.
In the recommended deployment of a DLP gateway with a mail relay, the DLP gateway scans emails once, as they are sent from an internal mail server (such as Microsoft Exchange) (1) to a mail relay in the DMZ (2). Make sure that the DLP gateway does not scan emails as they pass from the mail relay to the target mail server in the Internet.
If you can deploy the internal mail relay behind a DMZ interface of the DLP gateway:
In the Topology page of the DLP gateway object, define the gateway interface that leads to the internal mail server as Internal.
In the Topology page of the DLP gateway object, define the gateway interface that leads to the Mail relay as Internal and also as Interface leads to DMZ.
If you cannot deploy the internal mail relay behind a DMZ interface of the DLP gateway:
If the DLP gateway interface leading to the internal mail relay is internal, and you cannot deploy the internal mail relay behind a DMZ interface of the DLP gateway:
A non-recommended deployment is to have the DLP gateway scan emails as they are sent from an internal mail relay that is in My Organization to the target mail server in the Internet. In this deployment, the DLP gateway communicates with the target mail servers on behalf of the mail relay. If the target mail server does not respond, some mail relays (such Mcafee IronMail, postfix 2.0 or earlier and qmail) will not try the next DNS MX record, and so will not try to resend the email to another SMTP mail server in the same domain.
Why Some Mail Relays Will Not Resend Emails
If the mail relay does not succeed in sending an email because the target mail server does not respond, the mail relay resends the email to another SMTP server in the same domain. The relay does this by sending the mail to the next DNS MX record.
Most mail relays try the next MX record if the target is unreachable, or if the target server returns a 4xx SMTP error. However, other mail relays (such as Mcafee IronMail, postfix 2.0 or earlier and qmail) do not try the next MX if the target server returns a 4xx error. They will therefore not send the email.
In these deployments, the DLP gateway communicates with mail servers in the internet on behalf of the mail relay. If the target mail server does not respond, the DLP gateway sends a 4xx response to the mail relay in behalf of the mail server. Therefore, if your mail relay does not try the next MX when the target server returns a 4xx error, the email will not be sent.
Workarounds for the Non-Recommended Deployments
If Outlook does not trust the mail relay server, it fails to correctly render the Send and Discard buttons in the violation notification email. The buttons render correctly only after the mail relay is trusted and a new email sent.
To avoid this issue, instruct users to add the mail relay address to Outlook's safe senders list.
TLS-encrypted SMTP connections are not scanned by the DLP Software Blade. If an Exchange Server uses TLS to encrypt emails, you can use the Exchange Security Agent to inspect them.
In version R75 and higher, DLP incident data is stored on the remote log server or Security Management Server that stores the DLP gateway logs. DLP incidents are only stored permanently (that is, until they expire) on the DLP gateway if no log server or Security Management Server is configured for the DLP gateway.
Incidents are stored at
.$FWDIR\log\blob
Because DLP incident data is stored on the log server, Check Point recommends that you tune your log server disk management setting for DLP incidents.
To configure disk management for DLP incidents:
This setting applies to DLP incidents and logs, and to all other logs. The default setting is 45 MBytes or 15%. When the free disk space becomes less than this limit, old DLP incidents and logs, and other logs are deleted to free up disk space.
C:\Program Files\CheckPoint\SmartConsole\R77\PROGRAM\GuiDBedit.exe
Field Name |
Description |
Default value |
---|---|---|
|
The maximum % of disk space that incidents are allowed to occupy. |
20% |
|
Whether or not to delete incidents if the incidents take up more disk space than
|
|
|
Whether or not to run a script before deleting incidents. For example, to copy the logs to a different computer before they are deleted.
|
|
Internal emails between Microsoft Exchange clients use a proprietary protocol for Exchange communication. This protocol is not supported by the DLP gateway. To scan internal emails between Microsoft Exchange clients, you must install an Exchange Security Agent on the Exchange Server. The agent sends emails to the DLP gateway for inspection using the SMTP protocol encrypted with TLS. This requires connectivity between the Exchange server and the DLP gateway.
An Exchange Security Agent must be installed on each Exchange Server that passes traffic to the DLP gateway. Each agent is centrally managed through SmartDashboard and can only send emails to one DLP gateway.
If your organization uses Exchange servers for all of its emails, you can also use this setup for scanning all emails.
To use the Exchange Security Agent it is necessary to configure settings in SmartDashboard and on the Exchange server.
For more about using the Exchange Security Agent to examine internal emails, see some scenarios.
SmartDashboard configuration includes:
To define the Exchange Security Agent:
The Check Point Exchange Agent wizard opens.
Use the General page to enter information for the Exchange Security Agent.
Click Next.
Use the Trusted Communication page to enter the one-time password used to initialize SIC (Secure Internal Communication) between the Exchange Security Agent and the enforcing DLP gateway. This step creates a security certificate that is then used by the Exchange Security Agent.
Click Next.
Use the Inspection Scope window to define which emails to send for inspection. You can select all users or only specified users or user groups. It is recommended to start with specified users or user groups before inspecting all emails.
Note - You can define users or groups for whom emails will not be sent for inspection in an Exceptions list. You can also set a percentage of emails to inspect for the rest of the organization. This lets you gradually increase the inspection coverage of your organization's emails. To define these options, edit the Exchange Security Agent in SmartDashboard and open the Inspection Scope page. |
Click Next.
The Exchange Agent Wizard is Completed window opens.
The next steps include:
To install the Exchange Security Agent:
After the Exchange Security Agent has been installed on the Exchange server, you can:
There are two possible communication states:
To initialize trusted communication:
The Trusted Communication window opens.
The Exchange Security Agent runs as an extension of the Microsoft Exchange Transport service. When you start or stop the agent. Each time you start or stop the agent, you restart the Microsoft Exchange Transport service.
After you click Start, messages are sent to the Security Gateway for DLP inspection. The messages sent are based on the users or groups defined for inspection.
To start the Exchange Security Agent:
The Statistics page in the Exchange Security Agent shows performance statistics and the number of emails it handles and sends to the Security Gateway.
The graph you see in the window is the Windows Performance Monitor graph. It shows some of the Windows counters plus the CPExchangeAgent counters. Alternatively, you can use the Windows Performance Monitor and add the CPExchangeAgent counters.
Statistics shown:
In the Message Tracking window you can see logs for each message that goes through the Exchange Security Agent. You can do a search on all of the fields in the log and refresh the log.
You can see these values in the Event Id column:
This table describes the possible reasons for each of the event IDs.
Event ID |
Reason |
---|---|
Receive |
Empty - indicates that the message is being handled by the Exchange Security Agent |
Release |
Tap mode - when all of the rules in the Rule Base are detect or inform, the Exchange Security Agent automatically sends the message to its destination. The agent does not receive a response from the Security Gateway |
Scanned by gateway |
|
Timeout |
|
Drop |
Dropped by gateway - after Security Gateway inspection the message matched an ask or prevent rule |
Bypass
|
DLP scanning is disabled - when DLP inspection is not enabled on the Security Gateway |
Fail open active - if one of the bypass settings in the Advanced window is matched |
|
Message is too big |
|
Incoming message scanning is disabled |
|
Internal message scanning is disabled |
|
Incoming message scanning from other domains is disabled |
|
Sender is included in the Inspection Scope exceptions |
|
Sender is not included in Inspection Scope settings |
In the Advanced window you can configure log parameters and when not to send emails to the Security Gateway for DLP inspection.
The available options:
Email inspection is bypassed in these situations:
In Mirror Port Mode, the DLP gateway scans SMTP and HTTP traffic for possible violations. The DLP gateway connects to the SPAN port of a switch and monitors traffic without enforcing a policy. Mirror Port Mode lets you run a full data leak assessment of all outgoing SMTP/HTTP traffic with minimal deployment risk.
When the DLP Security Gateway is connected to a SPAN port of the switch, the gateway gets a copy of all packets passing through the switch. The DLP tap mechanism builds TCP streams of SMTP and HTTP traffic. These streams are scanned by the DLP engine for possible violations of the policy.
Before enabling Mirror Port Mode scanning, you must prepare the gateway.
Monitor Mode lets the gateway listen to traffic from a Mirror port or Span port on a switch. To configure Monitor Mode on the Gaia operating system, see: sk70900.
Note - For R77.10 and higher, Mirror Port Mode scanning is enabled by default when one of the interfaces is configured as monitor mode or tap. For R77 and below, you must manually enable mirror port mode.
To enable Mirror Port Mode (for R77 and below):
Use the
command.dlp_smtp_mirror_port
Description |
Enables SMTP Mirror Port Mode |
|||||||||
Syntax |
|
|||||||||
Parameters |
|
|
||||||||
Example |
|
|||||||||
Output |
|
|
||||||||
Comments |
SMTP mirror mode remains enabled after a gateway reboot. |
You can enable HTTPS traffic inspection on Security Gateways to inspect traffic that is encrypted by the Secure Sockets Layer (SSL) protocol. SSL secures communication between internet browser clients and web servers. It supplies data privacy and integrity by encrypting the traffic, based on standard encryption ciphers.
However, SSL has a potential security gap. It can hide illegal user activity and malicious traffic from the content inspection of Security Gateways. One example of a threat is when an employee uses HTTPS (SSL based) to connect from the corporate network to internet web servers. Security Gateways without HTTPS Inspection are unaware of the content passed through the SSL encrypted tunnel. This makes the company vulnerable to security attacks and sensitive data leakage.
The SSL protocol is widely implemented in public resources that include: banking, web mail, user forums, and corporate web resources.
There are two types of HTTPS inspection:
The Security Gateway acts as an intermediary between the client computer and the secure web site. The Security Gateway behaves as the client with the server and as the server with the client using certificates.
To optimize performance, inbound HTTPS traffic is inspected only if the policy has rules for HTTPS. For example, if the IPS profile does not have HTTP/HTTPS-related protections activated, HTTPS Inspection is not started.
All data is kept private in HTTPS Inspection logs. This is controlled by administrator permissions. Only administrators with HTTPS Inspection permissions can see all the fields in a log. Without these permissions, some data is hidden.
In outbound HTTPS inspection, when a client in the organization initiates an HTTPS connection to a secure site, the Security Gateway:
In inbound HTTPS inspection, when a client outside of the organization initiates an HTTPS connection to a server behind the organization's gateway, the Security Gateway:
To enable outbound HTTPS traffic inspection, you must do these steps:
When required, you can update the trusted CA list in the Security Gateway.
You must enable HTTPS inspection on each Security Gateway. From Security Gateway > HTTPS Inspection > Step 3, select Enable HTTPS Inspection.
The first time you enable HTTPS inspection on one of the Security Gateways, you must create an outbound CA certificate for HTTPS inspection or import a CA certificate already deployed in your organization. This outbound certificate is used by all Security Gateways managed on the Security Management Server.
The outbound CA certificate is saved with a P12 file extension and uses a password to encrypt the private key of the file. The Security Gateways use this password to sign certificates for the sites accessed. You must keep the password as it also used by other Security Management Servers that import the CA certificate to decrypt the file.
After you create an outbound CA certificate, you must export it so it can be distributed to clients. If you do not deploy the generated outbound CA certificate on clients, users will receive SSL error messages in their browsers when connecting to HTTPS sites. You can configure a troubleshooting option that logs such connections.
After you create the outbound CA certificate, a certificate object named Outbound Certificate is created. Use this in rules that inspect outbound HTTPS traffic in the HTTPS inspection Rule Base.
To create an outbound CA certificate:
The Gateway Properties window opens.
If you use more than one Security Management Server in your organization, you must first export the CA certificate with the
CLI command from the Security Management Server on which it was created before you can import it to other Security Management Servers.export_https_cert
Command syntax:
export_https_cert [-local] | [-s server] [-f certificate file name under FWDIR/tmp][-help]
To export the CA certificate:
On the Security Management Server, run this command:
$FWDIR/bin/export_https_cert -local -f [certificate file name under FWDIR/tmp]
Example
$FWDIR/bin/export_https_cert -local -f mycompany.p12
To prevent users from getting warnings about the generated CA certificates that HTTPS inspection uses, install the generated CA certificate used by HTTPS inspection as a trusted CA. You can distribute the CA with different distribution mechanisms such as Windows GPO. This adds the generated CA to the trusted root certificates repository on client computers.
When users do standard updates, the generated CA will be in the CA list and they will not receive browser certificate warnings.
To distribute a certificate with a GPO:
Or
From the HTTPS Inspection > Gateways pane in a supported blade, click Export.
Note - Make sure that the CA certificate is pushed to the client computer organizational unit.
You can use this procedure to deploy a certificate to multiple client machines with Active Directory Domain Services and a Group Policy Object (GPO). A GPO can contain multiple configuration options, and is applied to all computers in the scope of the GPO.
Membership in the local Administrators group, or equivalent, is necessary to complete this procedure.
To deploy a certificate using Group Policy:
The Group Policy Management Editor opens and shows the contents of the policy object.
You can import a CA certificate that is already deployed in your organization or import a CA certificate created on one Security Management Server to use on another Security Management Server.
Note - It is recommended that you use private CA Certificates. |
For each Security Management Server that has Security Gateways enabled with HTTPS inspection, you must:
To import a CA certificate:
Or
From the HTTPS Inspection > Gateways pane of a supported blade, click the arrow next to Create Certificate and select Import certificate from file.
The Import Outbound Certificate window opens.
To enable inbound HTTPS traffic inspection:
When a client from outside the organization initiates an HTTPS connection to an internal server, the Security Gateway intercepts the traffic. The Security Gateway inspects the inbound traffic and creates a new HTTPS connection from the gateway to the internal server. To allow seamless HTTPS inspection, the Security Gateway must use the original server certificate and private key.
To assign the certificate for inbound HTTPS inspection:
This creates a server certificate object.
The Server Certificates window in SmartDashboard has these options:
When you import a server certificate, enter the same password that was entered to protect the private key of the certificate on the server. The Security Gateway uses this certificate and the private key for SSL connections to the internal servers.
After you import a server certificate (with a P12 file extension) to the Security Gateway, make sure you add the object to the HTTPS Inspection Policy.
Do this procedure for all servers that receive connection requests from clients outside of the organization.
To add a server certificate:
The Import Certificate window opens.
The Successful Import window opens the first time you import a server certificate. It shows you where to add the object in the HTTPS Inspection Rule Base. Click Don't show this again if you do not want to see the window each time you import a server certificate and Close.
The HTTPS inspection policy determines which traffic is inspected. The primary component of the policy is the Rule Base. The rules use the categories defined in the Application Database, network objects and custom objects (if defined).
The HTTPS Rule Base lets you inspect the traffic on other network blades. The blades that HTTPS can operate on are based on the blade contracts and licenses in your organization and can include:
If you enable Identity Awareness on your Security Gateways, you can also use Access Role objects as the source in a rule. This lets you easily make rules for individuals or different groups of users.
To access the HTTPS inspection Rule Base:
In SmartDashboard, open the Policy page from the specified blade tab:
When you enable HTTPS inspection, a predefined rule is added to the HTTPS Rule Base. This rule defines that all HTTPS and HTTPS proxy traffic from any source to the internet is inspected on all blades enabled in the Blade column. By default, there are no logs.
The columns of a rule define the traffic that it matches and if that traffic is inspected or bypassed. When traffic is bypassed or if there is no rule match, the traffic continues to be examined by other blades in the Security Gateway.
The sequence of rules is important because the first rule that matches is applied.
For example, if the predefined rule inspects all HTTPS traffic from any category and the next rule bypasses traffic from a specified category, the first rule that inspects the traffic is applied.
Give the rule a descriptive name. The name can include spaces.
Double-click in the Name column of the rule to add or change a name.
The source is where the traffic originates. The default is Any.
Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any, also blocks traffic to and from the Captive Portal. |
Put your mouse in the column and a plus sign shows. Click the plus sign to open the list of network objects and select one or multiple sources. The source can be an Access Role object, which you can define when Identity Awareness is enabled.
Choose the destination for the traffic. The default is the Internet, which includes all traffic with the destination of DMZ or external. If you delete the destination value, the rule changes to Any, which applies to traffic going to all destinations
Important - A rule that blocks traffic, with the Source and Destination parameters defined as Any, also blocks traffic to and from the Captive Portal. |
To choose other destinations, put your mouse in the column and a plus sign shows. Click the plus sign to open the list of network objects and select one or multiple destinations.
By default, HTTPS traffic on port 443 and HTTP and HTTPS proxy on port 8080 is inspected. You can include more services and ports in the inspection by adding them to the services list.
To select other HTTPS/HTTP services, put your mouse in the column and a plus sign shows. Click the plus sign to open the list of services and select a service. Other services, such as SSH are not supported.
The Site Category column contains the categories for sites and applications that users browse to and you choose to include. One rule can include multiple categories of different types.
Important -
|
You can also include custom applications, sites, and hosts. You can select a custom defined application or site object with the Custom button or create a new host or site with the New button at the bottom of the page.
To add site categories to a rule:
Put your mouse in the column and a plus sign shows. Click the plus sign to open the Category viewer. For each category, the viewer shows a description and if there are applications or sites related with it.
You can create a new host site object to use in the HTTPS Rule Base if there is no corresponding existing category. Only the domain name part or hosts part of the URL is supported.
To create a new host site:
The Hosts/Sites window opens.
The new host site is added to the Selected list and can be added to the Rule Base.
The action is what is done to the traffic. Click in the column to see the options and select one to add to the rule.
Choose if the traffic is logged in SmartView Tracker or if it triggers other notifications. Click in the column and the options open. The options include:
Choose the blades that will inspect the traffic. Click in the column and the options open. The options include:
Important - The blade options you see are based on the blade contracts and licenses in your organization. |
Choose which Security Gateways the rule will be installed on. The default is All, which means all Security Gateways that have HTTPS inspection enabled. Put your mouse in the column and a plus sign shows. Click the plus sign to open the list of available Security Gateways and select.
Choose the certificate that is applicable to the rule. The Security Gateway uses the selected certificate for communication between the Security Gateway and the client.
Check Point dynamically updates a list of approved domain names of services from which content is always allowed. This option makes sure that Check Point updates or other 3rd party software updates are not blocked. For example, updates from Microsoft, Java, and Adobe.
To bypass HTTPS inspection for software updates:
Enhanced HTTPS Inspection Bypass lets the gateway bypass traffic to servers that require client certificate authentication and bypass non-browser applications.
This feature is supported on R77.30 and higher gateways.
To enable enhanced HTTPS inspection:
$FWDIR/boot/modules/fwkern.conf
file on the gateway, add:enhanced_ssl_inspection=1
You can configure this feature without changing the configuration file, but it does not survive reboot:
In expert mode, run: fw ctl set int enhanced_ssl_inspection 1
The Gateways pane lists the gateways with HTTPS Inspection enabled. Select a gateway and click Edit to edit the gateway properties. You can also search, add and remove Security Gateways from here.
For each gateway, you see the gateway name, IP address and comments.
In the CA Certificate section, you can renew the certificate validity date range if necessary and export it for distribution to the organization client machines.
If the Security Management Server which manages the selected Security Gateway does not have a generated CA certificate installed on it, you can add it with Import certificate from file.
When a client initiates an HTTPS connection to a web site server, the Security Gateway intercepts the connection. The Security Gateway inspects the traffic and creates a new HTTPS connection from the Security Gateway to the designated server.
When the Security Gateway establishes a secure connection (an SSL tunnel) to the designated web site, it must validate the site server certificate.
HTTPS Inspection comes with a preconfigured list of trusted CAs. This list is updated by Check Point when necessary and is automatically downloaded to the Security Gateway. The system is configured by default to notify you when a Trusted CA update file is ready for installation. The notification in SmartDashboard shows as a pop-up notification or in the Trusted CAs window in the Automatic Updates section. After you install the update, make sure to install the policy. You can select to disable the automatic update option and manually update the Trusted CA list.
If the Security Gateway receives a non-trusted server certificate from a site, by default the user gets a self-signed certificate and not the generated certificate. A page notifies the user that there is a problem with the website security certificate, but lets the user continue to the website.
You can change the default setting to block untrusted server certificates.
The trusted CA list is based on the Microsoft Root Certificate Program.
Updates for the trusted CA list and Certificate Blacklist will be published from time to time on the Check Point web site. They are automatically downloaded to the Security Management Server by default. When you are sent a notification that there is an update available, install it and do the procedure. The first notification is shown in a popup balloon once and then in the notification line under HTTPS Inspection > Trusted CAs. You can disable automatic updates if necessary.
To update the Trusted CA list and Certificate Blacklist:
You see the certificates that will be added or removed to the lists and the validity date range of the certificates added to the Trusted CA list.
The certificates will be added or removed respectively from the lists.
To disable automatic updates:
To add a trusted CA manually to the Security Gateway, you must export the necessary certificate from a non-trusted web site and then import it into SmartDashboard.
To export a CA certificate to add to the Trusted CAs list:
To import a CA certificate to the Trusted CAs list:
The certificate is added to the trusted CAs list.
You can save a selected certificate in the trusted CAs list to the local file system.
To export a CA certificate:
A CER file is created.
When a Security Gateway receives an untrusted certificate from a web site server, the settings in this section define when to drop the connection.
Untrusted server certificate
When selected, traffic from a site with an untrusted server certificate is immediately dropped. The user gets an error page that states that the browser cannot display the webpage.
When cleared, a self-signed certificate shows on the client machine when there is traffic from an untrusted server. The user is notified that there is a problem with the website's security certificate, but lets the user continue to the website (default).
Revoked server certificate (validate CRL)
When selected, the Security Gateway validates that each server site certificate is not in the Certificate Revocation List (CRL) (default).
If the CRL cannot be reached, the certificate is considered trusted (this is the default configuration). An HTTPS Inspection log is issued that indicates that the CRL could not be reached. This setting can be changed with GuiDBedit. Select Other > SSL Inspection > general_confs_obj and change the attribute
from false to true.drop_if_crl_cannot_be_reached
To validate the CRL, the Security Gateway must have access to the internet. For example, if a proxy server is used in the organizational environment, you must configure the proxy for the Security Gateway.
To configure the proxy:
When cleared, the Security Gateway does not check for revocations of server site certificates.
Important - Make sure that there is a rule in the Rule Base that allows outgoing HTTP from the Security Gateway. |
Expired server certificate
Track validation errors
Choose if the server validation traffic is logged in SmartView Tracker or if it triggers other notifications. The options include:
Automatically retrieve intermediate CA certificates
You can create a list of certificates that are blocked. Traffic from servers using the certificates in the blacklist will be dropped. If a certificate in the blacklist is also in the Trusted CAs list, the blacklist setting overrides the Trusted CAs list.
Choose if the dropped traffic is logged in SmartView Tracker or if it triggers other notifications. The options include:
Secure connections between a client and server with no traffic create logs in SmartView Tracker labeled as "Client has not installed CA certificate". This can happen when an application or client browser fails to validate the server certificate. Possible reasons include:
The option in the HTTPS Validation pane:
Log connections of clients that have not installed the CA certificate
You can configure a gateway to be an HTTP/HTTPS proxy. When it is a proxy, the gateway becomes an intermediary between two hosts that communicate with each other. It does not allow a direct connection between the two hosts.
Each successful connection creates two different connections:
Proxy Modes
Two proxy modes are supported:
Access Control
You can configure one of these options for forwarding HTTP requests:
Ports
By default, traffic is forwarded only on port 8080. You can add or edit ports as required.
Advanced
By default, the HTTP header contains the Via proxy related header. You can remove this header with the Advanced option.
You can also use the Advanced option to configure the X-Forward-For header that contains the IP address of the client machine. It is not added by default because it reveals the internal client IP.
Logging
The Security Gateway opens two connections, but only the Firewall blade can log both connections. Other blades show only the connection between the client and the gateway. The Destination field of the log only shows the gateway and not the actual destination server. The Resource field shows the actual destination.
To configure a Security Gateway to be an HTTP/HTTPS proxy:
Note - If you select Non Transparent mode, make sure to configure the clients to work with the proxy.
The X-Forward-For header must be configured if traffic will be forwarded to Identity Awareness Security Gateways that require this information for user identification.
The Security Gateway runs different web-based portals over HTTPS:
All of these portals can resolve HTTPS hosts to IPv4 and IPv6 addresses over port 443.
These portals (and HTTPS inspection) support the latest versions of the TLS protocol. In addition to SSLv3 and TLS 1.0 (RFC 2246), the Security Gateway supports:
Support for TLS 1.1 and TLS 1.2 is enabled by default but can be disabled in SmartDashboard (for web-based portals) or GuiDBedit (for HTTPS Inspection).
To configure TLS protocol support for portals:
The Advanced Configuration window opens.
To Configure TLS Protocol Support for HTTPS inspection:
Logs from HTTPS Inspection are shown in SmartView Tracker. There are two types of predefined queries for HTTPS Inspection logs in SmartView Tracker:
To open SmartView Tracker:
These are the predefined queries in Predefined > Network Security Blades > HTTPS Inspection.
HTTPS Validation values are:
When applying HTTPS Inspection to a specified blade:
An administrator must have HTTPS inspection permissions to see classified data in HTTPS inspected traffic.
To set permissions for an administrator in a new profile:
The Permissions Profile Custom Properties window opens.
To edit an existing permissions profile:
Events from HTTPS Inspection are shown in SmartEvent. There are two types of predefined queries for HTTPS Inspection events in SmartEvent:
To open SmartEvent:
SmartEvent supplies advanced analysis tools with filtering, charts, reporting, statistics, and more, of all events that pass through enabled Security Gateways. SmartEvent shows all HTTPS Inspection events.
You can filter the HTTPS Inspection information for fast monitoring on HTTPS Inspection traffic.
SmartEvent shows information for all Software Blades in the environment.
There are two types of predefined queries for HTTPS Inspection events in SmartEvent:
HTTPS Inspection Queries
Blade Queries