Configuring Mirror and Decrypt in SmartConsole for Gateway Mode

Workflow for Security Gateway / Cluster / Scalable Platform Security Group in Gateway mode:

  1. Enable the HTTPS InspectionClosed Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi. in the object of your Security GatewayClosed Dedicated Check Point server that runs Check Point software to inspect traffic and enforce Security Policies for connected network resources. / ClusterClosed Two or more Security Gateways that work together in a redundant configuration - High Availability, or Load Sharing. (for decrypting the HTTPS traffic).

    Step

    Instructions

    a

    Connect with SmartConsoleClosed Check Point GUI application used to manage a Check Point environment - configure Security Policies, configure devices, monitor products and events, install updates, and so on. to the Management ServerClosed Check Point Single-Domain Security Management Server or a Multi-Domain Security Management Server..

    b

    From the left navigation panel, click Gateways & Servers.

    c

    Open the Security Gateway / Cluster object.

    d

    From the navigation tree, click HTTPS Inspection.

    e

    View and export the certificate.

    f

    Check Enable HTTPS Inspection.

    g

    Click OK.

  2. Configure the HTTPS Inspection Rule BaseClosed All rules configured in a given Security Policy. Synonym: Rulebase. (for decrypting the HTTPS traffic).

    Step

    Instructions

    a

    From the left navigation panel, click Security Policies.

    b

    From the left tree, click HTTPS Inspection.

    d

    Configure the HTTPS Inspection RuleClosed Set of traffic parameters and other conditions in a Rule Base (Security Policy) that cause specified actions to be taken for a communication session. Base.

    See R81 Security Management Administration Guide.

    For more settings, in the HTTPS Tools section, click Additional Settings.

    e

    Publish the SmartConsole session.

  3. Activate the Mirror and Decrypt in the object of your Security Gateway / Cluster.

    Step

    Instructions

    a

    From the left navigation panel, click Gateways & Servers.

    b

    Open the Security Gateway / Cluster object.

    c

    From the left tree, click Network Management.

    d

    From the top toolbar, click Get Interfaces Without Topology.

    e

    Make sure the interface designated for Mirror and Decrypt is listed with the dummy IP address.

    f

    Select the interface designated for Mirror and Decrypt and click Edit.

    g

    From the navigation tree, click General.

    h

    In the General section:

    In the Network Type field, select Private.

    Note - This field shows only in Cluster objects.

    i

    In the Topology section:

    Click Modify. The Topology Settings window opens.

    j

    In the Leads To section:

    1. Select Override.

    2. Select This Network (Internal).

    3. Select Network defined by the interface IP and Net Mask.

    k

    In the Security Zone section:

    1. Select User defined.

    2. Do not check the Specify Security Zone.

    l

    In the Anti-Spoofing section:

    Clear the Perform Anti-Spoofing based on interface topology.

    m

    Click OK to save the changes and close the Topology Settings window.

    n

    From the navigation tree of the Security Gateway / Cluster object:

    Click the [+] near the Other and click Mirror and Decrypt.

    o

    Check Mirror gateway traffic to interface.

    The Mirror and Decrypt - User Disclaimer window opens.

    1. Read the text carefully.

    2. Check I agree to the terms and conditions.

    3. Click OK to accept and close the disclaimer.

    p

    In the Mirror gateway traffic to interface field, select the designated physical interface.

    q

    Click OK to save the changes and close the Security Gateway / Cluster properties window.

  4. Configure the Mirror and Decrypt rules in the Access Control Policy for the traffic you wish to mirror and decrypt.

    Best Practice - We recommend you to configure a new separate Access Control Layer to contain Mirror and Decrypt rules. Alternatively, you can configure the Mirror and Decrypt rules in the regular Rule Base.

    Important - When you configure the Mirror and Decrypt rules, these limitations apply:

    The procedure below describes how to configure the Mirror and Decrypt rules in a separate Access Control Layer in SmartConsole:

    Step

    Instructions

    a

    From the left navigation panel, click Security Policies.

    b

    Create a new Access Control Layer in the Access Control Policy.

    c

    In SmartConsole top left corner, click Menu > Manage policies and layers.

    d

    Select the existing policy and click Edit (the pencil icon).

    Alternatively, create a new policy.

    e

    From the navigation tree of the Policy window, click General.

    f

    In the Policy Types section, make sure you select only the Access Control.

    g

    In Access Control section, click on the + (plus) icon. A pop up window opens.

    h

    In the top right corner of this pop up window, click New Layer.

    The Layer Editor window opens.

    i

    From the navigation tree of the Layer Editor window, click General.

    j

    In the Blades section, make sure you select only the Firewall.

    k

    On other pages of the Layer Editor window, configure additional applicable settings.

    Click OK.

    l

    In the Access Control section, you see the Network Layer and the new Access Control Layer.

    m

    Click OK to save the changes and close the Policy window.

    n

    In SmartConsole, at the top, click the tab of the applicable policy.

    o

    In the Access Control section, click the new Access Control Layer.

    In the default rule, you must change the Action column from Drop to Accept to not affect the policy enforcement:

    • Name - Your text

      Important - You cannot use these strings:

      <M&D>, <M&d>, <m&D>, or <m&d>

    • Source - *Any

    • Destination - *Any

    • VPN - *Any

    • Services & Applications - *Any

    • Action - Must contain Accept

    • Track - None

    • Install On - *Policy Targets

    p

    Above the existing Cleanup rule, add the applicable rules for the traffic you wish to Mirror and Decrypt.

    You must configure the Mirror and Decrypt rules as follows:

    • Name - Must contain one of these strings (the angle brackets <> are mandatory):

      • <M&D>

      • <M&d>

      • <m&D>

      • <m&d>

    • Source - Select the applicable objects

    • Destination - Select the applicable objects

    • VPN - Must leave the default *Any

    • Services & Applications - Select the applicable services (to decrypt the HTTPS traffic, select the applicable HTTP, HTTPS, or Proxy services)

    • Action - Must contain Accept

    • Track - Select the applicable option (None, Log, or Alert)

    • Install On - Must contain one of these objects:

      • *Policy Targets (this is the default)

      • The Security Gateway, or Cluster object, whose version is R80.20 or higher

     

    Important:

    • In the Mirror and Decrypt rules, you must not select Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness.

    • Above the Mirror and Decrypt rules, you must not configure other rules that contain Content criteria, such as Application, URL Filtering, Service matched by IP Protocol, Content Awareness.

    • You must configure rules that contain an excluded source or an excluded destination above the Mirror and Decrypt rules.

      The Name column of these rules cannot contain these strings: <M&D>, <M&d>, <m&D>, or <m&d>.

    q

    Publish the SmartConsole session.

    r

    Install the Access Control Policy.

    s

    If in a Mirror and Decrypt rule you set the Track to Log, then you can filter the logs for this rule by the Access Rule Name, which contains the configured string:

    <M&D>, <M&d>, <m&D>, or <m&d>.