Print Download PDF Send Feedback

Previous

Next

Configuring HTTPS Inspection

HTTPS Internet traffic uses the SSL (Secure Sockets Layer) protocol and is encrypted to give data privacy and integrity. However, HTTPS traffic has a possible security risk and can hide illegal user activity and malicious traffic. Security Gateways cannot inspect HTTPS traffic because it is encrypted. You can enable the HTTPS Inspection feature to let the Security Gateways create new SSL connections with the external site or server. The Security Gateways are then able to decrypt and inspect HTTPS traffic that uses the new SSL connections.

There are two types of HTTPS Inspection:

A Security Gateway uses certificates and becomes an intermediary between the client computer and the secure web site. All data is kept private in HTTPS Inspection logs. Only administrators with HTTPS Inspection permissions can see all the fields in such a log.

Inspecting HTTPS Packets

Outbound Connections

Outbound connections are HTTPS connections that arrive from an internal client and connect to the Internet. The Security Gateway compares the HTTPS request to the rules in the HTTPS Inspection Rule Base. If the request does not match any rule, the packet is not inspected and the connection is allowed.

If the request matches an HTTPS Inspection rule, the Security Gateway validates the certificate from the server (on the Internet). The Security Gateway validates the certificate using the Online Certificate Status Protocol (OCSP) standard. OCSP is faster and uses much less memory than CRL Validation, which is used for certificate validation in releases lower than R80.10. For a new HTTPS connection to the server, the Security Gateway creates and uses a new certificate. There are two HTTPS connections, one to the internal client and one to the external server. It can then decrypt and inspect the packets according to the security policy. The packets are encrypted again and sent to the destination.

 

 

 

 

Connection is not inspected

 

 

 

 

 

 

No

 

 

HTTPS request

Firewall inspects request

Matches a rule?

Yes

Firewall validates certificate

 

 

 

 

 

 

 

 

Firewall inspects unencrypted connection and then encrypts it

Decrypts the connection

Creates new certificate for client and server

Inbound Connections

Inbound connections are HTTPS connections that arrive from an external client and connect to a server in the DMZ or the internal network. The Security Gateway compares the HTTPS request to the rules in the HTTPS Inspection Rule Base. If the request does not match any rule, the packet is not inspected and the connection is allowed.

If the request matches an HTTPS Inspection rule, the Security Gateway uses the certificate for the internal server to create an HTTPS connection with the external client. The Security Gateway creates a new HTTPS connection with the internal server. Since the Security Gateway has a secure connection with the external client, it can decrypt the HTTPS traffic. The decrypted traffic is inspected according to the security policy.

 

 

 

 

Connection is not inspected

 

 

 

 

 

 

No

 

 

HTTPS request

Firewall inspects request

Matches a rule?

Yes

Uses server certificate and connects to the client

 

 

 

 

 

 

 

 

Firewall inspects unencrypted connection

Decrypts the connection

Creates a new connection to server

Configuring Gateways to inspect outbound and inbound HTTPS

This section gives an example of how to configure a Gateway to inspect outbound and inbound HTTPS traffic.

Workflow overview

  1. Enable HTTPS Inspection on the Security Gateway.
  2. Configure the Security Gateway to use the certificate.
    • Outbound Inspection - Generate a new certificate for the Security Gateway.
    • Inbound Inspection - Import the certificate for the internal server.
  3. Configure the HTTPS Inspection Rule Base.
  4. Install the Access Control Policy.

Enabling HTTPS Inspection

You must enable HTTPS Inspection on each Security Gateway.

To enable HTTPS Inspection on a Security Gateway:

  1. From the SmartConsole Gateways & Servers view, edit the Security Gateway object.
  2. Click HTTPS Inspection > Step 3.
  3. Select Enable HTTPS Inspection.

The first time you enable HTTPS Inspection on one of the Security Gateways, you must create an outbound CA certificate for HTTPS Inspection or import a CA certificate already deployed in your organization. This outbound certificate is used by all Security Gateways managed on the Security Management Server.

Creating an Outbound CA Certificate

The outbound CA certificate is saved with a P12 file extension and uses a password to encrypt the private key of the file. The Security Gateways use this password to sign certificates for the sites accessed. You must keep the password because it is also used by other Security Management Servers that import the CA certificate to decrypt the file.

After you create an outbound CA certificate, you must export it so it can be distributed to clients. If you do not deploy the generated outbound CA certificate on clients, users will receive SSL error messages in their browsers when connecting to HTTPS sites. You can configure a troubleshooting option that logs such connections.

After you create the outbound CA certificate, a certificate object named Outbound Certificate is created. Use this object in rules that inspect outbound HTTPS traffic in the HTTPS Inspection Rule Base.

To create an outbound CA certificate:

  1. In SmartConsole Gateways & Servers view, right-click the Security Gateway object and select Edit.

    The Gateway Properties window opens.

  2. In the navigation tree, select HTTPS Inspection.
  3. In Step 1 of the HTTPS Inspection page, click Create.

    The Create window opens.

  4. Enter the necessary information:
    • Issued by (DN) - Enter the domain name of your organization.
    • Private key password - Enter the password that is used to encrypt the private key of the CA certificate.
    • Retype private key password - Retype the password.
    • Valid from - Select the date range for which the CA certificate is valid.
  5. Click OK.
  6. Export and deploy the CA certificate.

Importing an Outbound CA Certificate

You can import a CA certificate that is already deployed in your organization or import a CA certificate created on one Security Management Server to use on another Security Management Server.

Best Practice - Use private CA Certificates.

For each Security Management Server that has Security Gateways enabled with HTTPS Inspection, you must:

To import a CA certificate:

  1. If the CA certificate was created on another Security Management Server, export the certificate from the Security Management Server on which it was created.
  2. In the SmartConsole Gateways & Servers view, right-click the Security Gateway object and select Edit.

    The Gateway Properties window opens.

  3. In the navigation tree, select HTTPS Inspection.
  4. In Step 1 of the HTTPS Inspection page, click Import.

    The Import Outbound Certificate window opens.

  5. Browse to the certificate file.
  6. Enter the private key password.
  7. Click OK.
  8. If the CA certificate was created on another Security Management Server, deploy it to clients.
Exporting a Certificate from the Security Management Server

If you use more than one Security Management Server in your organization, you must first export the CA certificate with the export_https_cert CLI command from the Security Management Server on which it was created before you can import it to other Security Management Servers.

Command syntax:

export_https_cert [-local] | [-s server] [-f certificate file name under FWDIR/tmp][-help]

To export the CA certificate:

On the Security Management Server, run this command:

$FWDIR/bin/export_https_cert -local -f [certificate file name under FWDIR/tmp]

Example

$FWDIR/bin/export_https_cert -local -f mycompany.p12

Exporting and Deploying the Generated CA

To prevent users from getting warnings about the generated CA certificates that HTTPS Inspection uses, install the generated CA certificate used by HTTPS Inspection as a trusted CA. You can distribute the CA with different distribution mechanisms such as Windows GPO. This adds the generated CA to the trusted root certificates repository on client computers.

When users run standard updates, the generated CA will be in the CA list and they will not receive browser certificate warnings.

To distribute a certificate with a GPO:

  1. From the HTTPS Inspection window of the Security Gateway, click Export certificate.
  2. Save the CA certificate file.
  3. Use the Group Policy Management Console to add the certificate to the Trusted Root Certification Authorities certificate store.
  4. Push the Policy to the client computers in the organization.

    Note - Make sure that the CA certificate is pushed to the client computer organizational unit.

  5. Test the distribution by browsing to an HTTPS site from one of the clients and verifying that the CA certificate shows the name you entered for the CA certificate that you created in the Issued by field.
Deploying Certificates by Using Group Policy

You can use this procedure to deploy a certificate to multiple client machines with Active Directory Domain Services and a Group Policy Object (GPO). A GPO can contain multiple configuration options, and is applied to all computers in the scope of the GPO.

Membership in the local Administrators group, or equivalent, is necessary to complete this procedure.

To deploy a certificate using Group Policy:

  1. On the Microsoft Windows Server, open the Group Policy Management Console.
  2. Find an existing GPO or create a new GPO to contain the certificate settings. Make sure the GPO is associated with the domain, site, or organization unit whose users you want affected by the policy.
  3. Right-click the GPO and select Edit.

    The Group Policy Management Editor opens and shows the contents of the policy object.

  4. Open Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers.
  5. Click Action > Import.
  6. Do the instructions in the Certificate Import Wizard to find and import the certificate you exported from SmartConsole.
  7. In the navigation pane, click Trusted Root Certification Authorities and repeat steps 5-6 to install a copy of the certificate to that store.

Configuring Inbound HTTPS Inspection

Configure the Security Gateway for inbound HTTPS Inspection.

To enable inbound HTTPS traffic inspection:

  1. From the SmartConsole Gateways & Servers view, edit the Security Gateway object.
  2. Click HTTPS Inspection > Step 3.
  3. Select Enable HTTPS Inspection.
  4. Import server certificates for servers behind the organization Security Gateways.
  5. Define an HTTPS Inspection policy:
    • Create rules
    • Add a server certificate to the Certificate column of each rule.
Assigning a Server Certificate for Inbound HTTPS Inspection

Add the server certificates to the Security Gateway. This creates a server certificate object

When a client from outside the organization initiates an HTTPS connection to an internal server, the Security Gateway intercepts the traffic. The Security Gateway inspects the inbound traffic and creates a new HTTPS connection from the gateway to the internal server. To allow HTTPS Inspection, the Security Gateway must use the original server certificate and private key. The Security Gateway uses this certificate and the private key for SSL connections to the internal servers.

After you import a server certificate (with a P12 file extension) to the Security Gateway, add the object to the HTTPS Inspection Policy.

Do this procedure for all servers that receive connection requests from clients outside of the organization.

To add a server certificate for inbound HTTPS Inspection:

  1. In SmartConsole, go to Security Policies > Shared Policies > HTTPS Inspection.
  2. Click Open HTTPS Inspection Policy In SmartDashboard.

    SmartConsole opens.

  3. Click Server Certificates.
  4. Click Add.

    The Import Inbound Certificate window opens.

  5. Enter a Certificate name and a Description (optional).
  6. Browse to the certificate file.
  7. Enter the Private key password. Enter the same password that was used to protect the private key of the certificate on the server.
  8. Click OK.

The Successful Import window opens the first time you import a server certificate. It shows you where to add the object in the HTTPS Inspection Rule Base. Click Don't show this again if you do not want to see the window each time you import a server certificate and Close.

HTTPS Inspection Policy

The HTTPS Inspection rules define how the Security Gateways inspect HTTPS traffic. The HTTPS Inspection rules can use the URL Filtering categories to identify traffic for different websites and applications. For example, to protect the privacy of your users, you can use a rule to ignore HTTPS traffic to banks and financial institutions.

The HTTPS Inspection rules are applied to all the Software Blades that have HTTPS Inspection enabled. These are the Software Blades that support HTTPS Inspection:

To open the HTTP Inspection Policy

  1. In SmartConsole, go to Security Policies > Shared Policies > HTTPS Inspection.
  2. Click Open HTTPS Inspection Policy In SmartDashboard.

HTTPS Inspection rules in SmartConsole

These are the fields that manage the rules for the HTTPS Inspection security policy.

Field

Description

No.

Rule number in the HTTPS Inspection Rule Base.

Name

Name that the system administrator gives this rule.

Source

Network object that defines where the traffic starts.

Destination

Network object that defines the destination of the traffic.

Services

The network services that are inspected or bypassed.

By default, the services HTTPS on port 443 and HTTP_and_HTTPS proxy on port 8080 are inspected. You can add or delete services from the list.

Site Category

Categories for applications or web sites that are inspected or bypassed.

Action

Action that is done when HTTPS traffic matches the rule. The traffic is inspected or ignored (Bypass).

Track

Tracking and logging action that is done when traffic matches the rule.

Install On

Network objects that will get the HTTPS Inspection rule. You can only select Security Gateways that have HTTPS Inspection enabled.

Certificate

The certificate that is used for this rule.

  • Inbound HTTPS Inspection - Select the certificate that the internal server uses.
  • Outbound HTTPS Inspection - Select the Outbound Certificate object that you are using for the computers in the network. When there is a match to a rule, the Security Gateway uses the selected server certificate to communicate with the source client. You can create server certificates from HTTPS Inspection > Server Certificates > Add.

Comment

An optional field that lets you summarize the rule.

Configuring HTTPS Inspection Rules

Create different HTTPS Inspection rules for outbound and inbound traffic.

The outbound rules use the certificate that was generated for the Security Gateway.

The inbound rules use a different certificate for each internal server.

You can also create bypass rules for traffic that is sensitive and is not inspected. Make sure that the bypass rules are at the top of the HTTPS Inspection Rule Base.

After creating the rules, install the Access Control Policy.

Sample HTTPS Inspection Rule Base

This table shows a sample HTTPS Inspection Rule Base for a typical policy. (The Track and Install On columns are not shown. Track is set to None and Install On is set to Any.)

No

Name

Source

Destination

Services

Site Category

Action

Blade

Certificate

1

Inbound traffic

Any

WebCalendar

Server

HTTPS

Any

Inspect

Any

WebCalendarServer CA

2

Financial sites

Any

Internet

HTTPS

HTTP_HTTPS_proxy

Financial Services

Bypass

Any

Outbound CA

3

Outbound traffic

Any

Internet

HTTPS

HTTP_HTTPS_proxy

Any

Inspect

Any

Outbound CA

  1. Inbound traffic - Inspects HTTPS traffic to the network object WebCalendarServer. This rule uses the WebCalendarServer certificate.
  2. Financial sites - This is a bypass rule that does not inspect HTTPS traffic to websites that are defined in the Financial Services category. This rule uses the Outbound CA certificate.
  3. Outbound traffic - Inspects HTTPS traffic to the Internet. This rule uses the Outbound CA certificate.
Bypassing HTTPS Inspection for Software Update Services

Check Point dynamically updates a list of approved domain names of services from which content is always allowed. This option makes sure that Check Point updates or other 3rd party software updates are not blocked. For example, updates from Microsoft, Java, and Adobe.

To bypass HTTPS Inspection for software updates:

  1. In SmartConsole, go Manage & Settings > Blades > HTTPS Inspection > Configure In SmartDashboard.
  2. In SmartDashboard, click the HTTPS Inspection tab.
  3. Click Policy.
  4. In the Policy pane, select Bypass HTTPS Inspection of traffic to well known software update services (list is dynamically updated). This option is selected by default.
  5. Click list to see the list of approved domain names.

Managing Certificates by Gateway

The Gateways pane lists the gateways with HTTPS Inspection enabled. Select a gateway and click Edit to edit the gateway properties.

In the CA Certificate section, you can renew the certificate validity date range if necessary and export it for distribution to the organization client machines.

If the Security Management Server which manages the selected Security Gateway does not have a generated CA certificate installed on it, you can add it with Import certificate from file.

Adding Trusted CAs for Outbound HTTPS Inspection

When a client initiates an HTTPS connection to a web site server, the Security Gateway intercepts the connection. The Security Gateway inspects the traffic and creates a new HTTPS connection from the Security Gateway to the designated server.

When the Security Gateway establishes a secure connection (an SSL tunnel) to the designated web site, it must validate the site server certificate.

HTTPS Inspection comes with a preconfigured list of trusted CAs. This list is updated by Check Point when necessary and is automatically downloaded to the Security Gateway. The system is configured by default to notify you when a Trusted CA update file is ready for installation. The notification in SmartConsole shows as a pop-up notification or in the Trusted CAs window in the Automatic Updates section. After you install the update, make sure to install the policy. You can select to disable the automatic update option and manually update the Trusted CA list.

If the Security Gateway receives a non-trusted server certificate from a site, by default the user gets a self-signed certificate and not the generated certificate. A page notifies the user that there is a problem with the website security certificate, but lets the user continue to the website.

You can change the default setting to block untrusted server certificates.

Saving a CA Certificate

You can save a selected certificate in the trusted CAs list to the local file system.

To export a CA certificate:

  1. In SmartConsole, open HTTPS Inspection > Trusted CAs.
  2. Click Actions > Export to file.
  3. Browse to a location, enter a file name and click Save.

    A CER file is created.

HTTPS Validation

In the HTTPS Validation page of SmartConsole you can set options for

To learn more about these options, see the Help. Click ? in the HTTPS Validation page.

Showing HTTPS Inspection Logs

The predefined log query for HTTPS Inspection shows all HTTPS traffic that matched the HTTPS Inspection policy, and was configured to be logged.

To see HTTPS Inspection Logs:

  1. In the SmartConsole Logs & Monitor > Logs tab, click Favorites.
  2. Select the HTTPS Inspection query.

The Logs tab includes an HTTP Inspection Action field. The field value can be inspect or bypass. If HTTPS Inspection was not done on the traffic, this field does not show in the log.

Configuring the Geo Policy

The Geo Policy lets you control network traffic for specified countries. An IP-to-country database maps IP addresses to countries. You can configure different Geo policies that block or allow traffic for different countries. Private IP addresses are allowed unless the connection is explicitly blocked. Check Point control connections (such as between Security Gateways and the Security Management Server) are always allowed, regardless of the Geo Policy.

Follow this workflow to configure a Geo Policy:

  1. Create a Geo Policy.
  2. Configure exceptions to the policy (optional).
  3. Apply the new Geo Policy to target Security Gateways.
  4. Publish the configuration changes and install the Access Control Policy.

To create a new Geo Policy:

  1. In SmartConsole, go to the Security Policies page.
  2. In the Shared Policies section, click Geo Policy.
  3. From the drop-down Edited Policy menu, select New.
  4. In the Object Name window that opens, enter a name for the new Geo Policy.
  5. Click OK.
  6. Select an Activation Mode:
    • Active - Policy is enabled
    • Monitory Only - Traffic that matches the policy is allowed and logged
    • Inactive - Policy is disabled
  7. In Policy for specific countries section, click the plus sign.

    The Geo Policy - Add new rule window opens.

  8. Configure the Rule Settings:
    • Country - Select or search for a country on the list
    • Action - Select Accept to allow the traffic or Drop to reject it
    • Direction - From and To Country for bidirectional traffic, or To Country or From Country for traffic only in a specific direction
    • Track - Select to Log, send Alerts, send Mail, send SNMP Traps, or to send one of possible three custom User Alerts (you can also choose to not do any tracking)
    • Comment - optional comment
  9. Set the default Action and Track option for the Policy for other countries.
  10. Optional - Select Aggregate logs by country.
  11. Publish the Session to save the configuration changes.

To configure exceptions to a Geo Policy:

  1. In the Shared Policies section of the Security Policies page, click Exceptions.
  2. Click New.

    The New Exception Rule window opens.

  3. In the Apply to section, select the Profile to which you want to apply the exception.
  4. In the Source and Destination sections, select the exception criteria:
    • Network Object - A specific internal host or a network (or Any)
    • IP Address - A specific IP address
  5. Select a Service or specify a TCP or UDP Port/Range.
  6. Select the target gateways for the exception to Install On.
  7. Add an optional Comment and click OK.

To apply a Geo Policy:

  1. In the Shared Policies section of the Security Policies page, click Gateways.
  2. Select a gateway or a cluster of gateways and click Edit.

    The Gateway Geo Policy window opens.

  3. From the Assign Policy drop-down list, select a Geo Policy.
  4. Click OK.

You can also edit Geo Policies, or delete them (if they are not applied to any target Security Gateways).

To delete a Geo Policy:

  1. In the Shared Policies section of the Security Policies page, click Gateways.
  2. From the Edited Policy drop-down list, select a policy.

    The rules of the selected Geo Policy show.

  3. Click to open the Edited Policy list again, and select Delete.
  4. Click Yes to confirm.

    Note - If the policy is applied to a gateway or a cluster of gateways, the warning will show and the policy will not be deleted.

To edit a Geo Policy:

  1. In the Shared Policies section of the Security Policies page, click Gateways.
  2. From the Edited Policy drop-down list, select a policy.

    The rules of the selected Geo Policy show.

  3. Make changes to the policy.
  4. Publish the changes and install the Access Control Policy.