Monitoring HTTPS Inspection with HSM over SNMP

You can query the HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. status and the status of connection to the HSM Server on the Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / Cluster MemberClosed Security Gateway that is part of a cluster. / Security Group over SNMP:

  • Full OID is:

    .iso.org.dod.internet.private.enterprises.checkpoint.products.httpsInspection

  • Numerical OID is:

    .1.3.6.1.4.1.2620.1.54

To get the HTTPS Inspection status, query this SNMP object:

SNMP OID

Returned strings

Explanation

httpsInspectionStatus

 

.1.3.6.1.4.1.2620.1.54.1

On

HTTPS Inspection feature is configured on the Security Gateway / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. Member / Security Group.

Off

HTTPS Inspection feature is not configured on the Security Gateway / Cluster Member / Security Group.

To get the HTTPS Inspection status description, query this SNMP object:

SNMP OID

Returned strings

Explanation

httpsInspectionStatusDescription

 

.1.3.6.1.4.1.2620.1.54.2

HTTPS Inspection is on

HTTPS Inspection feature is configured on the Security Gateway / Cluster Member / Security Group.

HTTPS Inspection is off

HTTPS Inspection feature is not configured on the Security Gateway / Cluster Member / Security Group.

To get the HSM configuration status, query this SNMP object:

SNMP OID

Returned strings

Explanation

hsmStatus.hsmEnabled

 

.1.3.6.1.4.1.2620.1.54.3.1

Enabled

The value of the ":enabled()" attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

Disabled

One of these:

  • The HSM Client software packages are not installed on the Security Gateway / Cluster Member / Security Group.

  • The $FWDIR/conf/hsm_configuration.C file does not exist on the Security Gateway / Cluster Member / Security Group.

  • The value of the ":enabled()" attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  • The ":enabled()" attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

Important - In these cases, outbound HTTPS Inspection works without the HSM Server, and SSL keys are stored on the Security Gateway / Cluster Member / Security Group.

To get the HSM configuration status description, query this SNMP object:

SNMP OID

Returned strings

Explanation

hsmStatus.hsmEnabledDescription

 

.1.3.6.1.4.1.2620.1.54.3.2

HSM is enabled for HTTPS inspection with <HSM Vendor>

  • The value of the :enabled() attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  • The <HSM Vendor> is the value of the ":hsm_vendor_name ()" attribute in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

HSM is disabled for HTTPS inspection

One of these:

  • The HSM Client software packages are not installed on the Security Gateway / Cluster Member / Security Group.

  • The $FWDIR/conf/hsm_configuration.C file does not exist on the Security Gateway / Cluster Member / Security Group.

  • The HTTPS Inspection daemon wstlsd failed to read the value of the ":enabled()" attribute in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  • The ":enabled()" attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

Important - In these cases, outbound HTTPS Inspection works without the HSM Server, and SSL keys are stored on the Security Gateway / Cluster Member / Security Group.

To get the HSM partition access status, query this SNMP object:

SNMP OID

Returned strings

Explanation

hsmStatus.hsmPartitionAccess

 

.1.3.6.1.4.1.2620.1.54.3.3

N/A

Security Gateway / Cluster Member / Security Group failed to check the access to its partition on the HSM Server.

Most probably, because HSM configuration is disabled on the Security Gateway / Cluster Member / Security Group.

Accessible

Security Gateway / Cluster Member / Security Group accessed its partition on the HSM Server.

Not Accessible

Security Gateway / Cluster Member / Security Group failed to access its partition on the HSM Server because of an error.

To get the HSM partition access status description, query this SNMP object:

SNMP OID

Returned strings

Explanation

hsmStatus.hsmPartitionAccessDescription

 

.1.3.6.1.4.1.2620.1.54.3.4

HSM partition access cannot be checked

Security Gateway / Cluster Member / Security Group failed to check the access to its partition on the HSM Server.

Gateway can access HSM partition for HTTPS inspection

Security Gateway / Cluster Member / Security Group accessed its partition on the HSM Server.

Gateway cannot access HSM partition for HTTPS inspection: <Error Message>

Security Gateway / Cluster Member / Security Group failed to access its partition on the HSM Server because of an error.

Possible error messages are:

  • HSM configuration file is corrupted

  • Loading HSM library failed

  • There is no trust or no connectivity with HSM server

  • Login to HSM partition failed

To get the Outbound HTTPS Inspection status, query this SNMP object:

SNMP OID

Returned strings

Explanation

hsmStatus.outboundStatus

 

.1.3.6.1.4.1.2620.1.54.3.5

N / A

When the HTTPS Inspection daemon wstlsd starts, it is necessary to wait for one minute or less, until you can get the actual status.

HSM on

All these conditions were met:

  1. The value of the ":enabled()" attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  2. Security Gateway / Cluster Member / Security Group connected to the HSM Server.

HSM off

One of these:

  • The HSM Client software packages are not installed on the Security Gateway / Cluster Member / Security Group.

  • The $FWDIR/conf/hsm_configuration.C file does not exist on the Security Gateway / Cluster Member / Security Group.

  • The value of the ":enabled()" attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  • The ":enabled()" attribute is corrupted in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

Important - In these cases, outbound HTTPS Inspection works without the HSM Server, and SSL keys are stored on the Security Gateway / Cluster Member / Security Group.

HSM error

All these conditions were met:

  1. The value of the ":enabled()" attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  2. An error occurred.

Important - In this case, outbound HTTPS Inspection does not work, and HTTPS traffic does not pass through.

Note - The conditions for the returned strings are calculated on the Security Gateway / Cluster Member / Security Group during the start of the HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get "hsmStatus.hsmEnabled = HSM enabled" and "hsmStatus.outboundStatus = HSM off", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled.

To get the Outbound HTTPS Inspection status description, query this SNMP object:

SNMP OID

Returned strings

Explanation

hsmStatus.outboundStatusDescription

 

.1.3.6.1.4.1.2620.1.54.3.6

Cannot get HTTPS inspection outbound status. Process may be under initialization. Please try again in a minute.

When the HTTPS Inspection daemon wstlsd starts, it is necessary to wait for one minute or less, until you can get the actual status.

 

Outbound HTTPS inspection works with HSM

All these conditions were met:

  1. The value of the ":enabled()" attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  2. Security Gateway / Cluster Member / Security Group connected to the HSM Appliance Server.

 

Outbound HTTPS inspection works without HSM

The value of the ":enabled()" attribute is set to "no" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group, or this file does not exist.

 

Outbound HTTPS inspection is off due to HSM error: <Error Message>

All these conditions were met:

  1. The value of the ":enabled()" attribute is set to "yes" in the $FWDIR/conf/hsm_configuration.C file on the Security Gateway / Cluster Member / Security Group.

  2. An error occurred.

Important - In this case, outbound HTTPS Inspection does not work, and HTTPS traffic does not pass through.

Possible error messages are:

  • HSM configuration file is corrupted

  • Loading HSM library failed

  • There is no trust or no connectivity with HSM server

  • Login to HSM partition failed

  • Error importing CA certificate from HSM server

  • Error generating key pair on HSM server

Note - The conditions for the returned strings are calculated on the Security Gateway / Cluster Member / Security Group during the start of the HTTPS Inspection daemon wstlsd, or during policy installation. For example, you can get "hsmStatus.hsmEnabledDescription = HSM is enabled for HTTPS inspection with <HSM Vendor>" and "hsmStatus.outboundStatusDescription = Outbound HTTPS inspection works without HSM", because when the wstlsd daemon started, or during last policy installation, the HSM configuration was disabled.

 
# snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -On -v 2c -c public localhost 1.3.6.1.4.1.2620.1.54
 
.1.3.6.1.4.1.2620.1.54.1.0 = STRING: On
.1.3.6.1.4.1.2620.1.54.2.0 = STRING: HTTPS Inspection is on
.1.3.6.1.4.1.2620.1.54.3.1.0 = STRING: Enabled
.1.3.6.1.4.1.2620.1.54.3.2.0 = STRING: HSM is enabled for HTTPS inspection with Gemalto HSM
.1.3.6.1.4.1.2620.1.54.3.3.0 = STRING: Accessible
.1.3.6.1.4.1.2620.1.54.3.4.0 = STRING: Gateway can access HSM partition for HTTPS inspection
.1.3.6.1.4.1.2620.1.54.3.5.0 = STRING: HSM on
.1.3.6.1.4.1.2620.1.54.3.6.0 = STRING: Outbound HTTPS inspection works with HSM
 
# snmpwalk -m $CPDIR/lib/snmp/chkpnt.mib -Oa -v 2c -c public localhost 1.3.6.1.4.1.2620.1.54
 
CHECKPOINT-MIB::httpsInspectionStatus.0 = STRING: On
CHECKPOINT-MIB::httpsInspectionStatusDescription.0 = STRING: HTTPS Inspection is on
CHECKPOINT-MIB::hsmEnabled.0 = STRING: Enabled
CHECKPOINT-MIB::hsmEnabledDescription.0 = STRING: HSM is enabled for HTTPS inspection with Gemalto HSM
CHECKPOINT-MIB::hsmPartitionAccess.0 = STRING: Accessible
CHECKPOINT-MIB::hsmPartitionAccessDescription.0 = STRING: Gateway can access HSM partition for HTTPS inspection
CHECKPOINT-MIB::outboundStatus.0 = STRING: HSM on
CHECKPOINT-MIB::outboundStatusDescription.0 = STRING: Outbound HTTPS inspection works with HSM

For more information about SNMP on GaiaClosed Check Point security operating system that combines the strengths of both SecurePlatform and IPSO operating systems. OS, see the R81 Gaia Administration Guide > Chapter System Management > Section SNMP.