Monitoring HTTPS Inspection with HSM in SmartConsole Logs

To see the HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. logs about the Gemalto HSM Server in SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on.:

Step

Instructions

From the left navigation panel, click Logs & Monitor > Logs.

In the search field, enter:

type:Control

Double-click the applicable log.

In the log, refer to the More section.

Possible logs are:

Log Description

Log Additional Information

Explanation

HSM is enabled for outbound HTTPS inspection with <HSM Vendor>

The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster Member Security Gateway that is part of a cluster. / Security Group A logical group of Security Appliances (in Maestro) / Security Gateway Modules (on Scalable Chassis) that provides Active/Active cluster functionality. A Security Group can contain one or more Security Appliances / Security Gateway Modules. Security Groups work separately and independently from each other. To the production networks, a Security Group appears a single Security Gateway. In Maestro, each Security Group contains: (A) Applicable Uplink ports, to which your production networks are connected; (B) Security Appliances (the Quantum Maestro Orchestrator determines the applicable Downlink ports automatically); (C) Applicable management port, to which the Check Point Management Server is connected. Security Group.
The <HSM Vendor> is the value of the ":hsm_vendor_name ()" attribute in the $FWDIR/conf/hsm_configuration.C file on the on the Security Gateway / Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member / Security Group.

HSM is disabled for outbound HTTPS inspection

One of these:

The HSM Client software packages are not installed on the Security Gateway / Cluster Member / Security Group.
The $FWDIR/conf/hsm_configuration.C file does not exist on the Security Gateway / Cluster Member / Security Group.
The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.
The :enabled() attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

Important - In these cases, outbound HTTPS Inspection works without the HSM Server, and SSL keys are stored on the Security Gateway / Cluster Member / Security Group.

Outbound HTTPS inspection works with HSM

Gateway is connected to HSM

All these conditions were met:

The value of the ":enabled()" attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.
Security Gateway / Cluster Member / Security Group connected to the HSM Server.

Outbound HTTPS inspection is off due to HSM error

One of these strings:

HSM configuration file is corrupted
Loading HSM library failed
There is no trust or no connectivity with HSM server
Login to HSM partition failed
Error importing CA certificate from HSM server
Error generating key pair on HSM server

See the section Log Additional Information in the log.

Example: