Monitoring HTTPS Inspection with HSM in CLI

Run the "cpstat https_inspection" command on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster MemberClosed Security Gateway that is part of a cluster. to see the HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. status and the status of connection to the HSM Server.

Syntax

cpstat -h

cpstat https_inspection -f {default | hsm_status | all}

For more information about this command, see the R81 CLI Reference Guide > Chapter Security Gateway Commands > Section cpstat.

[Expert@GW:0]# cpstat https_inspection -f default
 
HTTPS inspection status (On/Off):    On
HTTPS inspection status description: HTTPS Inspection is on
 
[Expert@GW:0]#
 
[Expert@GW:0]# cpstat https_inspection -f hsm_status
 
HSM enabled (Enabled/Disabled):                  Enabled
HSM enabled description:                         HSM is enabled for HTTPS inspection with Gemalto HSM
HSM partition access (Accessible/Not Accessible): Accessible
HSM partition access description:                 Gateway can access to HSM partition for HTTPS inspection
Outbound status (HSM on/HSM off/HSM error):      HSM on
Outbound status description:                     Outbound HTTPS inspection works with HSM
 
[Expert@GW:0]#
 
[Expert@GW:0]# cpstat https_inspection -f all
 
HTTPS inspection status (On/Off):                On
HTTPS inspection status description:             HTTPS Inspection is on
HSM enabled (Enabled/Disabled):                  Enabled
HSM enabled description:                         HSM is enabled for HTTPS inspection with Gemalto HSM
HSM partition access (Accessible/Not Accessible): Accessible
HSM partition access description:                 Gateway can access to HSM partition for HTTPS inspection
Outbound status (HSM on/HSM off/HSM error):      HSM on
Outbound status description:                     Outbound HTTPS inspection works with HSM
 
[Expert@GW:0]#

Item

Possible returned strings

Explanation

HTTPS inspection status (On/Off)

On

HTTPS Inspection feature is configured on the Security Gateway / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member.

Off

HTTPS Inspection feature is not configured on the Security Gateway / Cluster Member.

Item

Possible returned strings

Explanation

HTTPS inspection status description

HTTPS Inspection is on

HTTPS Inspection feature is configured on the Security Gateway / Cluster Member.

HTTPS Inspection is off

HTTPS Inspection feature is not configured on the Security Gateway / Cluster Member.

Item

Possible returned strings

Explanation

HSM enabled (Enabled/Disabled)

Enabled

The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

Disabled

One of these:

  • The HSM Client software packages are not installed on the Security Gateway / Cluster Member.

  • The $FWDIR/conf/hsm_configuration.C file does not exist on the Security Gateway / Cluster Member.

  • The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

  • The :enabled() attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

Important - In these cases, outbound HTTPS Inspection works without the HSM Server, and SSL keys are stored on the Security Gateway (Cluster Members).

Item

Possible returned strings

Explanation

HSM enabled description

HSM is enabled for HTTPS inspection with <HSM Vendor>

  • The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

  • The <HSM Vendor> is the value of the ":hsm_vendor_name ()" attribute in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

HSM is disabled for HTTPS inspection

One of these:

  • The HSM Client software packages are not installed on the Security Gateway / Cluster Member.

  • The $FWDIR/conf/hsm_configuration.C file does not exist on the Security Gateway / Cluster Member.

  • The HTTPS Inspection daemon wstlsd could not read the value of the ":enabled()" attribute in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

  • The ":enabled()" attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

Important - In these cases, outbound HTTPS Inspection works without the HSM Server, and SSL keys are stored on the Security Gateway (Cluster Members).

Item

Possible returned strings

Explanation

HSM partition access (Accessible/Not Accessible)

N/A

Security Gateway / Cluster Member could not check the access to its partition on the HSM Server.

Accessible

Security Gateway / Cluster Member could access its partition on the HSM Server.

Not Accessible

Security Gateway / Cluster Member could not access its partition on the HSM Server because of an error.

Important - In this case, outbound HTTPS Inspection does not work, and HTTPS traffic does not pass through.

Item

Possible returned strings

Explanation

HSM partition access description

HSM partition access cannot be checked

Security Gateway / Cluster Member could not check the access to its partition on the HSM Server.

Most probably, because HSM configuration is disabled on the Security Gateway / Cluster Member.

Gateway can access HSM partition for HTTPS inspection

Security Gateway / Cluster Member could access its partition on the HSM Server.

Gateway cannot access HSM partition for HTTPS inspection: <Error Message>

Security Gateway / Cluster Member could not access its partition on the HSM Server because of an error.

All these conditions were met:

  1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

  2. An error occurred.

Possible error messages are:

  • HSM configuration file is corrupted

  • Loading HSM library failed

  • There is no trust or no connectivity with HSM server

  • Login to HSM partition failed

Important - In this case, outbound HTTPS Inspection does not work, and HTTPS traffic does not pass through.

Item

Possible returned strings

Explanation

Outbound status (HSM on/HSM off/HSM error)

N / A

When the HTTPS Inspection daemon wstlsd starts, it is necessary to wait for one minute or less, until you can get the actual status.

HSM on

All these conditions were met:

  1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

  2. Security Gateway / Cluster Member could connect to the HSM Server.

HSM off

One of these:

  • The HSM Client software packages are not installed on the Security Gateway / Cluster Member.

  • The $FWDIR/conf/hsm_configuration.C file does not exist on the Security Gateway / Cluster Member.

  • The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

  • The ":enabled()" attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

Important - In these cases, outbound HTTPS Inspection works without the HSM Server, and SSL keys are stored on the Security Gateway (Cluster Members).

HSM error

All these conditions were met:

  1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

  2. An error occurred.

Important - In this case, outbound HTTPS Inspection does not work, and HTTPS traffic does not pass through.

Note - The conditions for the returned strings are calculated on the Security Gateway / Cluster Member during the start of the HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get "HSM enabled (Enabled/Disabled) = Enabled" and "Outbound status (HSM on/HSM off/HSM error) = HSM off", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled.

Item

Possible returned strings

Explanation

Outbound status description

Cannot get HTTPS inspection outbound status. Process may be under initialization. Please try again in a minute.

When the HTTPS Inspection daemon wstlsd starts, it is necessary to wait for one minute or less, until you can get the actual status.

 

Outbound HTTPS inspection works with HSM

All these conditions were met:

  1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

  2. Security Gateway / Cluster Member could connect to the HSM Server.

 

Outbound HTTPS inspection works without HSM

The value of the :enabled() attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member, or this file does not exist.

 

Outbound HTTPS inspection is off due to HSM error: <Error Message>

All these conditions were met:

  1. The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member.

  2. An error occurred.

Possible error messages are:

  • HSM configuration file is corrupted

  • Loading HSM library failed

  • There is no trust or no connectivity with HSM server

  • Login to HSM partition failed

  • Error importing CA certificate from HSM server

  • Error generating key pair on HSM server

Important - In this case, outbound HTTPS Inspection does not work, and HTTPS traffic does not pass through.

Note - The conditions for the returned strings are calculated on the Security Gateway / Cluster Member during the start of the HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get "HSM enabled (Enabled/Disabled) = Enabled" and "Outbound status description = Outbound HTTPS inspection works without HSM", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled.