Beruflich Dokumente
Kultur Dokumente
R80.10 Training
(revised: September 14, 2018)
©2018
©2015 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 1
HTTPS Lab
HTTPS Internet traffic uses the
SSL/TLS protocol and is encrypted
to give data privacy and integrity.
External Network
IP: 192.168.103.x VMware:
suspend
Kali
Pen Test Tool
Internal Client
Kali
Win-Victim IP: 192.168.103.100
User: root/Cpwins1!
IP: 192.168.101.100
Default Gtwy: 192.168.103.254
User: jroberts/Cpwins1!
Default Gtwy: 192.168.101.254
DNS: 192.168.102.2 Internal Network DMZ Network
DNS: 8.8.8.8 IP: 192.168.101.x IP: 192.168.102.x
Management
&
Gateway
VMware: VMware: VMware:
suspend R80 suspend suspend
Endpoint
Endpoint Eth0: 192.168.101.254 Ubuntu Win-DC
Management Eth1: 192.168.102.254 Web Server Active Directory
Eth2: 192.168.103.254
User: admin / Cpwins1!
GUI : admin / Cpwins1! Ubuntu Win-DC
EndpointServer
Default Gtwy: 192.168.103.2
IP: 192.168.101.165 DNS: 8.8.8.8 IP: 192.168.102.5 IP: 192.168.102.2
User: admin/Cpwins1! User: admin/Cpwins1! User: Administrator /Cpwins1!
Default Gtwy: 192.168.101.254 Default Gtwy: 192.168.102.254 Domain: LAB.TEST
DNS: 192.168.102.2 Default Gtwy: 192.168.102.254
DNS: 8.8.8.8 DNS: 127.0.1.1
DNS: 192.168.103.2
DNS: 8.8.8.8
©2018 Check Point Software Technologies Ltd. 3
HTTPS Lab
Certificate Verification
• The HTTPS Lab requires
Application Control &
URLF blades to be
enabled.
• Enable Application
Control and URL
Filtering.
• Click “+” to open the picker in any Services & Applications cell.
View Certificate
Certification Path
• Click on Step 1:
Create and the CA
creation dialog
window will appear
Open HTTPS
Policy
Add Rule
Financial Services
Blades
©2018 Check Point Software Technologies Ltd. 11
HTTPS Lab
Validate HTTPS Policy
• In SmartDashboard, select Trusted
CAs in the left sidebar.
• If there is an update to the Trusted
CA and Blacklist file, click the Install
now button.
• Review the update list and click
Proceed.
• Within 1 - 2 minutes a window will
show if the update was successful.
• Before exiting SmartDashboard click
Menu -> File -> Update. CA Update?
• Exit SmartDashboard.
• In SmartConsole, install the policy.
Review Questions
• In Access Control, click on the menu icon, and select Edit Layer.
Note: Even though Application Control is enabled on the R80 object and in the policy, the
current policy doesn’t have a rule that uses a blade where HTTPS inspection is needed. Only
IP, port and services will match the connection now.
©2018 Check Point Software Technologies Ltd. 19
HTTPS Lab
Manual Certificate Install
Modify the Internal Access section to add a rule to drop with a Blocked
Message connections to Critical Risk applications and sites (see below).
The new rule will be above the existing rule that accepts any other Internal
network connections.
Note: Make sure you install the Root CA certificate from the R80 Gateway
(R80.cer), and not the Web server certificate.
Note: It is NOT recommended to use automatic certificate store in the import wizard,
since it sometimes installs the CA certificate in the wrong store.
R80 cert
None
©2018 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals
HTTPS Lab
SSL/TLS Protocol Features
• Remember the gateway is a MitM. How secure is the
gateway’s connection to the end site?
©2018 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 30
End of Lab
©2018
©2015 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 31