Monitoring HTTPS Inspection with HSM in CLI

Run the "cpstat https_inspection" command on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster MemberClosed Security Gateway that is part of a cluster. / Scalable Platform Security GroupClosed A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. to see the HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. status and the status of connection to the HSM Server.

Syntax

For more information about this command, see the R81.10 CLI Reference Guide > Chapter Security Gateway Commands > Section cpstat.

[Expert@GW:0]# cpstat https_inspection -f default
 
HTTPS inspection status (On/Off):    On
HTTPS inspection status description: HTTPS Inspection is on
 
[Expert@GW:0]#
 
[Expert@GW:0]# cpstat https_inspection -f hsm_status
 
HSM enabled (Enabled/Disabled):                  Enabled
HSM enabled description:                         HSM is enabled for HTTPS inspection with Gemalto HSM
HSM partition access (Accessible/Not Accessible): Accessible
HSM partition access description:                 Gateway can access to HSM partition for HTTPS inspection
Outbound status (HSM on/HSM off/HSM error):      HSM on
Outbound status description:                     Outbound HTTPS inspection works with HSM
 
[Expert@GW:0]#
 
[Expert@GW:0]# cpstat https_inspection -f all
 
HTTPS inspection status (On/Off):                On
HTTPS inspection status description:             HTTPS Inspection is on
HSM enabled (Enabled/Disabled):                  Enabled
HSM enabled description:                         HSM is enabled for HTTPS inspection with Gemalto HSM
HSM partition access (Accessible/Not Accessible): Accessible
HSM partition access description:                 Gateway can access to HSM partition for HTTPS inspection
Outbound status (HSM on/HSM off/HSM error):      HSM on
Outbound status description:                     Outbound HTTPS inspection works with HSM
 
[Expert@GW:0]#

Item

Possible returned strings

Explanation

HTTPS inspection status (On/Off)

On

HTTPS Inspection feature is configured on the Security Gateway / Cluster Member / Security Group.

Off

HTTPS Inspection feature is not configured on the Security Gateway / Cluster Member / Security Group.

Item

Possible returned strings

Explanation

HTTPS inspection status description

HTTPS Inspection is on

HTTPS Inspection feature is configured on the Security Gateway / Cluster Member / Security Group.

HTTPS Inspection is off

HTTPS Inspection feature is not configured on the Security Gateway / Cluster Member / Security Group.

Item

Possible returned strings

Explanation

HSM enabled (Enabled/Disabled)

Enabled

The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

Disabled

One of these:

  • The HSM Client software packages are not installed on the Security Gateway / Cluster Member / Security Group.

  • The $FWDIR/conf/hsm_configuration.C file does not exist on the Security Gateway / Cluster Member / Security Group.

  • The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  • The :enabled() attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

Important - In these cases, outbound HTTPS Inspection works without the HSM Server, and SSL keys are stored on the Security Gateway (Cluster Members).

Item

Possible returned strings

Explanation

HSM enabled description

HSM is enabled for HTTPS inspection with <HSM Vendor>

  • The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  • The <HSM Vendor> is the value of the ":hsm_vendor_name ()" attribute in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

HSM is disabled for HTTPS inspection

One of these:

  • The HSM Client software packages are not installed on the Security Gateway / Cluster Member / Security Group.

  • The $FWDIR/conf/hsm_configuration.C file does not exist on the Security Gateway / Cluster Member / Security Group.

  • The HTTPS Inspection daemon wstlsd failed to read the value of the ":enabled()" attribute in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  • The ":enabled()" attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

Important - In these cases, outbound HTTPS Inspection works without the HSM Server, and SSL keys are stored on the Security Gateway (Cluster Members).

Item

Possible returned strings

Explanation

HSM partition access (Accessible/Not Accessible)

N/A

Security Gateway / Cluster Member / Security Group failed to check the access to its partition on the HSM Server.

Accessible

Security Gateway / Cluster Member / Security Group accessed its partition on the HSM Server.

Not Accessible

Security Gateway / Cluster Member / Security Group failed to access its partition on the HSM Server because of an error.

Important - In this case, outbound HTTPS Inspection does not work, and HTTPS traffic does not pass through.

Item

Possible returned strings

Explanation

HSM partition access description

HSM partition access cannot be checked

Security Gateway / Cluster Member / Security Group failed to check the access to its partition on the HSM Server.

Most probably, because HSM configuration is disabled on the Security Gateway / Cluster Member / Security Group.

Gateway can access HSM partition for HTTPS inspection

Security Gateway / Cluster Member / Security Group accessed its partition on the HSM Server.

Gateway cannot access HSM partition for HTTPS inspection: <Error Message>

Security Gateway / Cluster Member / Security Group failed to access its partition on the HSM Server because of an error.

All these conditions were met:

  1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  2. An error occurred.

Possible error messages are:

  • HSM configuration file is corrupted

  • Loading HSM library failed

  • There is no trust or no connectivity with HSM server

  • Login to HSM partition failed

Important - In this case, outbound HTTPS Inspection does not work, and HTTPS traffic does not pass through.

Item

Possible returned strings

Explanation

Outbound status (HSM on/HSM off/HSM error)

N / A

When the HTTPS Inspection daemon wstlsd starts, it is necessary to wait for one minute or less, until you can get the actual status.

HSM on

All these conditions were met:

  1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  2. Security Gateway / Cluster Member / Security Group connected to the HSM Server.

HSM off

One of these:

  • The HSM Client software packages are not installed on the Security Gateway / Cluster Member / Security Group.

  • The $FWDIR/conf/hsm_configuration.C file does not exist on the Security Gateway / Cluster Member / Security Group.

  • The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  • The ":enabled()" attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

Important - In these cases, outbound HTTPS Inspection works without the HSM Server, and SSL keys are stored on the Security Gateway (Cluster Members).

HSM error

All these conditions were met:

  1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  2. An error occurred.

Important - In this case, outbound HTTPS Inspection does not work, and HTTPS traffic does not pass through.

Note - The conditions for the returned strings are calculated on the Security Gateway / Cluster Member / Security Group during the start of the HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get "HSM enabled (Enabled/Disabled) = Enabled" and "Outbound status (HSM on/HSM off/HSM error) = HSM off", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled.

Item

Possible returned strings

Explanation

Outbound status description

Cannot get HTTPS inspection outbound status. Process may be under initialization. Please try again in a minute.

When the HTTPS Inspection daemon wstlsd starts, it is necessary to wait for one minute or less, until you can get the actual status.

 

Outbound HTTPS inspection works with HSM

All these conditions were met:

  1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  2. Security Gateway / Cluster Member / Security Group connected to the HSM Server.

 

Outbound HTTPS inspection works without HSM

The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group, or this file does not exist.

 

Outbound HTTPS inspection is off due to HSM error: <Error Message>

All these conditions were met:

  1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  2. An error occurred.

Possible error messages are:

  • HSM configuration file is corrupted

  • Loading HSM library failed

  • There is no trust or no connectivity with HSM server

  • Login to HSM partition failed

  • Error importing CA certificate from HSM server

  • Error generating key pair on HSM server

Important - In this case, outbound HTTPS Inspection does not work, and HTTPS traffic does not pass through.

Note - The conditions for the returned strings are calculated on the Security Gateway / Cluster Member / Security Group during the start of the HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get "HSM enabled (Enabled/Disabled) = Enabled" and "Outbound status description = Outbound HTTPS inspection works without HSM", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled.