HTTPS Inspection
HTTPS Internet traffic uses the TLS (Transport Layer Security) protocol and is encrypted to give data privacy and integrity. However, HTTPS traffic has a possible security risk and can hide illegal user activity and malicious traffic. Security Gateways cannot inspect HTTPS traffic because it is encrypted. You can enable the HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. feature to let the Security Gateways create new TLS connections with the external site or server. The Security Gateways are then able to decrypt and inspect HTTPS traffic that uses the new TLS connections.
There are two types of HTTPS Inspection:
-
Outbound HTTPS Inspection - To protect against malicious traffic that is sent from an internal client to an external site or server.
-
Inbound HTTPS Inspection - To protect internal servers from malicious requests that arrive from the Internet or an external network.
The Security Gateway Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. uses certificates and becomes an intermediary between the client computer and the secure web site. All data is kept private in HTTPS Inspection logs. Only administrators with HTTPS Inspection permissions can see all the fields in such a log.
For information on what's new in HTTPS Inspection starting from R80.20, see sk163594.
Inspecting HTTPS Connections
Outbound HTTPS Connections
Outbound connections are HTTPS connections that arrive from an internal client and connect to an external server.
-
An HTTPS request (from an internal client to an external server) arrives at the Security Gateway.
-
The Security Gateway inspects the HTTPS request.
-
The Security Gateway determines whether the HTTPS request matches an existing HTTPS Inspection rule Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session.:
-
If the HTTPS request does not match a rule, then the Security Gateway does not inspect the HTTPS payload.
-
If the HTTPS request matches a rule, then the Security Gateway continues to the next step.
-
-
The Security Gateway validates the HTTPS certificate from the external server.
The Security Gateway uses the Online Certificate Status Protocol (OCSP) standard.
-
The Security Gateway creates a new certificate for the connection to the external server.
-
The Security Gateway decrypts the HTTPS connection.
-
The Security Gateway inspects the decrypted HTTPS connection.
-
If the Security Policy Collection of rules that control network traffic and enforce organization guidelines for data protection and access to resources with packet inspection. allows this traffic, the Security Gateway encrypts the HTTPS connection.
-
The Security Gateway sends the HTTPS request to the external server.
Inbound HTTPS Connections
Inbound connections are HTTPS connections that arrive from an external client and connect to a server in the DMZ or the internal network.
-
An HTTPS request (from an external client to an internal server) arrives at the Security Gateway.
-
The Security Gateway inspects the HTTPS request.
-
The Security Gateway determines whether the HTTPS request matches an existing HTTPS Inspection rule:
-
If the HTTPS request does not match a rule, then the Security Gateway does not inspect the HTTPS payload.
-
If the HTTPS request matches a rule, then the Security Gateway continues to the next step.
-
-
The Security Gateway uses the certificate for the internal server to create an HTTPS connection with the external client.
-
The Security Gateway creates a new HTTPS connection with the internal server.
-
The Security Gateway decrypts the HTTPS connection.
-
The Security Gateway inspects the decrypted HTTPS connection.
-
If the Security Policy allows this traffic, the Security Gateway encrypts the HTTPS connection and sends it to the internal server.
Getting Started with HTTPS Inspection
This section gives an example of how to configure a Security Gateway to inspect outbound and inbound HTTPS traffic.
Workflow Overview
Step |
Instructions |
---|---|
1 |
Enable HTTPS Inspection on the Security Gateway. See Enabling HTTPS Inspection on the Security Gateway |
2 |
Configure the Security Gateway to use the inbound and outbound certificates:
|
3 |
Configure the HTTPS Inspection Rule Base All rules configured in a given Security Policy. Synonym: Rulebase.. HTTPS Inspection Policy |
4 |
Install the Access Control Policy. See Installing the Access Control Policy |
Enabling HTTPS Inspection on the Security Gateway
You must configure HTTPS Inspection on each Security Gateway separately.
|
Important - You must enable HTTPS Inspection on the Security Gateway for the Software Blades to inspect HTTPS traffic. Without HTTPS Inspection, the Security Gateway cannot decrypt and inspect encrypted traffic, preventing any policy enforcement. |
To enable HTTPS Inspection on a Security Gateway:
Step |
Instructions |
---|---|
1 |
From the SmartConsole Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. Gateways & Servers view, edit the Security Gateway object. |
2 |
Click HTTPS Inspection > Step 3. |
3 |
Select Enable HTTPS Inspection. |
Working with Outbound CA Certificate
The first time you enable HTTPS Inspection on one of the Security Gateways, you must create an outbound CA certificate for HTTPS Inspection or import a CA certificate already deployed in your organization. This outbound certificate is used by all Security Gateways managed on the Security Management Server Dedicated Check Point server that runs Check Point software to manage the objects and policies in a Check Point environment within a single management Domain. Synonym: Single-Domain Security Management Server..
Creating an Outbound CA Certificate
The outbound CA certificate is saved with a CER file extension and uses a password to encrypt the private key of the file. The Security Gateways use this password to sign certificates for the sites accessed. You must keep the password because it is also used by other Security Management Servers that import the CA certificate to decrypt the file.
After you create an outbound CA certificate, you must export it so it can be distributed to clients. If you do not deploy the generated outbound CA certificate on clients, users receive TLS error messages in their browsers when connecting to HTTPS sites. You can configure a troubleshooting option that logs such connections.
After you create the outbound CA certificate, a certificate object named Outbound Certificate is created. Use this object in rules that inspect outbound HTTPS traffic in the HTTPS Inspection Rule Base.
Step |
Instructions |
---|---|
1 |
In SmartConsole Gateways & Servers view, right-click the Security Gateway object and select Edit. The Gateway Properties window opens. |
2 |
In the navigation tree, select HTTPS Inspection. |
3 |
In Step 1 of the HTTPS Inspection page, click Create. The Create window opens. |
4 |
Enter the necessary information:
|
5 |
Click OK. |
6 |
Export and deploy the CA certificate (see Exporting an Outbound Certificate from the Security Management Server). |
Importing an Outbound CA Certificate
You can import a CA certificate that is already deployed in your organization or import a CA certificate created on one Security Management Server Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server. to another Security Management Server.
|
Best Practice - Use private CA Certificates. |
For each Security Management Server that has Security Gateways enabled with HTTPS Inspection, you must:
-
Import the CA certificate.
-
Enter the password the Security Management Server uses to decrypt the CA certificate file and sign the certificates for users. Use this password only when you import the certificate to a new Security Management Server.
Step |
Instructions |
---|---|
1 |
If the CA certificate was created on another Security Management Server, export the certificate from the Security Management Server, on which it was created (see Exporting an Outbound Certificate from the Security Management Server). |
2 |
In the SmartConsole Gateways & Servers view, right-click the Security Gateway object and select Edit. The Gateway Properties window opens. |
3 |
In the navigation tree, select HTTPS Inspection. |
4 |
In Step 1 of the HTTPS Inspection page, click Import. The Import Outbound Certificate window opens. |
5 |
Browse to the certificate file. |
6 |
Enter the private key password. |
7 |
Click OK. |
8 |
If the CA certificate was created on another Security Management Server, deploy it to clients (see Deploying the Generated CA). |
Exporting an Outbound Certificate from the Security Management Server
If you use more than one Security Management Server in your organization, you must first export the CA certificate with the export_https_cert
CLI command from the Security Management Server on which it was created before you can import it to other Security Management Servers.
|
|
On the Security Management Server, run this command:
|
Example:
|
|
Note - On a Multi-Domain Security Management Server, you must run this command in the context of the applicable Domain Management Server ( |
Deploying the Generated CA
To prevent users from getting warnings about the generated CA certificates that HTTPS Inspection uses, install the generated CA certificate used by HTTPS Inspection as a trusted CA. You can distribute the CA with different distribution mechanisms such as Windows GPO. This adds the generated CA to the trusted root certificates repository on client computers.
When users run standard updates, the generated CA is in the CA list and they do not receive browser certificate warnings.
Step |
Instructions |
||
---|---|---|---|
1 |
From the HTTPS Inspection window of the Security Gateway, click Export certificate. |
||
2 |
Save the CA certificate file. |
||
3 |
Use the Group Policy Management Console to add the certificate to the Trusted Root Certification Authorities certificate store (see Deploying Certificates using Group Policy). |
||
4 |
Push the Policy to the client computers in the organization.
|
||
5 |
Test the distribution by browsing to an HTTPS site from one of the clients. Also, make sure the CA certificate shows the name you entered for the CA certificate that you created in the Issued by field. |
Deploying Certificates using Group Policy
You can use this procedure to deploy a certificate to multiple client machines with Active Directory Domain Services and a Group Policy Object (GPO). A GPO can contain multiple configuration options, and is applied to all computers in the scope of the GPO.
Membership in the local Administrators group, or equivalent, is necessary to complete this procedure.
Step |
Instructions |
---|---|
1 |
On the Microsoft Windows Server, open the Group Policy Management Console. |
2 |
Find an existing GPO or create a new GPO to contain the certificate settings. Make sure the GPO is associated with the domain, site, or organization unit whose users you want affected by the policy. |
3 |
Right-click the GPO and select Edit. The Group Policy Management Editor opens and shows the contents of the policy object. |
4 |
Open Computer Configuration > Policies > Windows Settings > Security Settings > Public Key Policies > Trusted Publishers. |
5 |
Click Action > Import. |
6 |
Do the instructions in the Certificate Import Wizard to find and import the certificate you exported from SmartConsole. |
7 |
In the navigation pane, click Trusted Root Certification Authorities and repeat steps 5-6 to install a copy of the certificate to that store. |
Configuring Inbound HTTPS Inspection
By design, the Security Gateway / Security Cluster Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. is intentionally configured not to perform HTTPS Inspection on traffic directed towards it. To change this behavior, follow sk114574.
Assigning a Server Certificate for Inbound HTTPS Inspection
Add the server certificates to the Security Gateway. This creates a server certificate object.
When a client from outside the organization initiates an HTTPS connection to an internal server, the Security Gateway intercepts the traffic. The Security Gateway inspects the inbound traffic and creates a new HTTPS connection from the gateway to the internal server. To allow HTTPS Inspection, the Security Gateway must use the original server certificate and private key. The Security Gateway uses this certificate and the private key for TLS connections to the internal servers.
After you import a server certificate (with a CER file extension) to the Security Gateway, add the object to the HTTPS Inspection Policy.
Do this procedure for all servers that receive connection requests from clients outside of the organization.
Step |
Instructions |
---|---|
1 |
In SmartConsole, go to Security Policies > HTTPS Inspection > HTTPS Tools > Additional Settings. |
2 |
Click Open HTTPS Inspection Policy In SmartDashboard. |
3 |
Click Server Certificates. |
4 |
Click Add. The Import Inbound Certificate window opens. |
5 |
Enter a Certificate name and a Description (optional). |
6 |
Browse to the certificate file. |
7 |
Enter the Private key password. Enter the same password that was used to protect the private key of the certificate on the server. |
8 |
Click OK. |
The Successful Import window opens the first time you import a server certificate. It shows you where to add the object in the HTTPS Inspection Rule Base. Click Don't show this again if you do not want to see the window each time you import a server certificate and Close.
HTTPS Inspection Policy
The HTTPS Inspection rules define how the Security Gateways inspect HTTPS traffic.
The HTTPS Inspection rules can use the URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF. categories to identify traffic for different websites and applications. For example, to protect the privacy of your users, you can use a rule to ignore HTTPS traffic to banks and financial institutions.
For HTTPS Inspection to be enforced on a gateway on a specific blade, you must:
-
Enable HTTPS Inspection on the gateway.
-
Create a rule in the HTTPS Inspection policy with the required blade.
-
Enable the required blade on the gateway.
These are the Software Blades that support HTTPS Inspection:
-
Access Control:
-
URL Filtering
-
Threat Prevention:
Starting from R80.40, the HTTPS Inspection policy is in SmartConsole > the Security Policies view > HTTPS Inspection. Starting from R80.40 you can create different HTTPS Inspection layers per different policy packages. When you create a new policy package, you can use the pre-defined HTTPS Inspection layer, or customize the HTTPS Inspection layer to fit your security needs.
You can share an HTTPS Inspection layer across multiple policy packages.
|
Note - When you go to the Security Policies view > HTTPS Inspection > HTTPS Tools > Additional Settings > Open HTTPS Inspection Policy In SmartDashboard, SmartDashboard unexpectedly closes, if there are more than 100,000 network objects configured in the management database of the Management Server. |
These are the fields that manage the rules for the HTTPS Inspection Security Policy.
Field |
Description |
---|---|
No. |
Rule number in the HTTPS Inspection Rule Base. |
Name |
Name that the system administrator gives this rule. |
Source |
Network object that defines where the traffic starts. |
Destination |
Network object that defines the destination of the traffic. |
Services |
The network services that are inspected or bypassed. By default, the services |
Site Category |
Categories for applications or web sites that are inspected or bypassed. |
Action |
Action that is done when HTTPS traffic matches the rule. The traffic is inspected or ignored (Bypass). |
Track |
Tracking and logging action that is done when traffic matches the rule. |
Install On |
Network objects that will enforce the HTTPS Inspection Policy. You can only select Security Gateways that have HTTPS Inspection enabled (by default, the gateways which appear in the Install On column have HTTPS inspection enabled). |
Certificate |
The certificate that is used for this rule.
|
Comment |
An optional field to add a summary for the rule. |
Configuring HTTPS Inspection Policy
Create different HTTPS Inspection rules for outbound and inbound traffic.
The outbound rules use the certificate that was generated for the Security Gateway.
The inbound rules use a different certificate for each internal server.
You can also create bypass rules for traffic that is sensitive and should not be inspected. Make sure that the bypass rules are at the top of the HTTPS Inspection Rule Base.
After you create the rules, install the Access Control Policy.
This table shows a sample HTTPS Inspection Rule Base for a typical policy.
-
Financial sites - This is a bypass rule that does not inspect HTTPS traffic to websites that are defined in the Financial Services category.
-
Outbound traffic - Inspects HTTPS traffic to the Internet. This rule uses the Outbound CA certificate.
-
Inbound traffic - Inspects HTTPS traffic to the network object WebCalendarServer. This rule uses the WebCalendarServer certificate.
HTTPS Inspection Policy Enforcement
HTTPS Inspection Rule Base enforcement consists of two steps:
-
Matching the connection against the Rule Base.
-
Calculating the action to be performed.
The action is calculated according to the matched rule, the Software Blades defined on the matched rule and the rule exceptions. In certain scenarios, the action in the matched rule is Inspect, but as a result of Step 2, the action is changed to Bypass. In such case, the HTTPS Inspection log is sent with data from the matched rule, but the action in the log is Bypass.
Example 1:
The rule in the HTTPS Inspection policy defines Action: Inspect and Blade: Threat Emulation. The Threat Emulation blade is not enabled on a specific gateway. On that gateway, the traffic is not inspected by Threat Emulation, and the log indicates Action: Bypass.
Example 2:
The administrator defined one rule in the HTTPS Inspection Policy:
Source |
Destination |
Services |
Action |
Track |
Blade |
---|---|---|---|---|---|
Any |
Any |
HTTPS |
Inspect |
Log |
IPS |
The administrator also added the 10.1.1.0/24 net to the Global Exceptions for the IPS blade. User with IP 10.1.1.2 surfs to some HTTPS websites.
HTTPS Inspection Rule Base execution:
The connection was matched to the rule with action Inspect.
IPS is the only active blade on the matched rule, but the connection is in exception for the IPS blade. Therefore the updated action is Bypass.
Performed action: SSL is not terminated, HTTPS Inspection log is sent with data from the matched rule, and the action sent is Bypass.
Bypassing HTTPS Inspection for Software Update Services
Check Point dynamically updates a list of approved domain names of services from which content is always allowed. This option makes sure that Check Point updates or other 3rd party software updates are not blocked. For example, updates from Microsoft, Java, and Adobe.
Step |
Instructions |
---|---|
1 |
In SmartConsole, go to Security Policies > HTTPS Inspection> HTTPS Tools > Additional Settings > Open HTTPS Inspection Policy in SmartDashboard. |
2 |
In SmartDashboard, click the HTTPS Inspection tab. |
3 |
Click HTTPS Validation. |
4 |
Go to Whitelisting and select Bypass HTTPS Inspection of traffic to well-known software update services (list is dynamically updated). This option is selected by default. |
5 |
Click list to see the list of approved domain names. |
Managing Certificates by Gateway
The Gateways pane in the HTTPS Inspection tab in SmartDashboard lists the gateways with HTTPS Inspection enabled.
In the CA Certificate section, in the lower part of the Gateways pane, you can Renew the certificate validity date range if necessary and Export it for distribution to the organization client machines.
If the Security Management Server which manages the selected Security Gateway does not have a generated CA certificate installed on it, you can add it with Import certificate from file.
-
You can import a CA certificate already deployed in your organization.
-
You can import a CA certificate from another Security Management Server. Before you can import it, you must first export it from the Security Management Server on which it was created (see HTTPS Inspection).
Adding Trusted CAs for Outbound HTTPS Inspection
When a client initiates an HTTPS connection to a website server, the Security Gateway intercepts the connection. The Security Gateway inspects the traffic and creates a new HTTPS connection from the Security Gateway to the designated server.
When the Security Gateway establishes a secure connection (a TLS tunnel) to the designated website, it must validate the site server certificate.
HTTPS Inspection comes with a preconfigured list of trusted CAs. This list is updated by Check Point when necessary and is automatically downloaded to the Security Gateway. After you install the update, make sure to install the policy. You can select to disable the automatic update option and manually update the Trusted CA list.
If the Security Gateway receives a non-trusted server certificate from a site, by default the user gets a self-signed certificate and not the generated certificate. A page notifies the user that there is a problem with the website security certificate, but lets the user continue to the website.
You can change the default setting to block untrusted server certificates.
Saving a CA Certificate
You can save a selected certificate in the trusted CAs list to the local file system.
Step |
Instructions |
---|---|
1 |
In SmartDashboard, go to the HTTPS Inspection tab > Trusted CAs. |
2 |
Click Actions > Export to file. |
3 |
Browse to a location, enter a file name and click Save. A |
HTTPS Validation
-
Fail mode
-
HTTPS site categorization mode
-
Server validation
-
Certificate blacklisting
-
Whitelisting
-
Troubleshooting
To learn more about these options, see the Help. Click the ? symbol in the HTTPS Validation page.
Showing HTTPS Inspection Logs
The predefined log query for HTTPS Inspection shows all HTTPS traffic that matched the HTTPS Inspection policy, and was configured to be logged.
Step |
Instructions |
---|---|
1 |
In the SmartConsole Logs & Monitor view, go to the Logs tab, and click Queries. |
2 |
Select the HTTPS Inspection query. |
The Logs tab includes an HTTP Inspection Action field. The field value can be inspect or bypass. If HTTPS Inspection was not done on the traffic, this field does not show in the log.
SNI support for Site Categorization
Starting from R80.30, a new functionality allows the categorization of HTTPS sites before the HTTPS Inspection begins, and prevents connectivity failure if the inspection does not succeed.
SNI is an extension to the TLS protocol, which indicates the hostname at the start of the TLS handshaking process.
The categorization is performed by examining the SNI field in the client hello message at the beginning of the TLS handshaking process. To make sure that you reached the right site, the SNI is verified against the Subject Alternative Name of the host, which appears in the certificate.
After the identity of the host is known and verified, the site is categorized, and it is determined whether the connection should be inspected or not.
SNI support is enabled by default.
HTTPS Inspection on Non-Standard Ports
Applications that use HTTP normally send the HTTP traffic on TCP port 80. Some applications send HTTP traffic on other ports also. You can configure some Software Blades to only inspect HTTP traffic on port 80, or to also inspect HTTP traffic on non-standard ports.
The security policies inspect all HTTP traffic, even if it is sent using nonstandard ports. This option is selected by default. You can configure this option in the Manage & Settings view > Blades > Threat Prevention > Advanced Settings > General > HTTPS Inspection.
Inspection of TLS v1.3 Traffic
From R81, the Check Point Security Gateway can inspect traffic that relies on Transport Layer Security (TLS) v1.3 (see RFC 8446).
From R81.10, this feature is enabled by default for Security Gateways (and Cluster Members) that use the User-Space Firewall Mode (USFW)).
For the list of supported platforms, see sk167052.
|
Important - In a Cluster, you must configure all the Cluster Members in the same way. |
|
Note - To disable the inspection of the TLS v1.3 traffic for testing purposes, set the value of the global parameter fwtls_enable_tlsio to 0 and reboot. |
The HTTPS Inspection feature decrypts traffic for better protection against advanced threats, bots, and other malware.