06 HTTPS Inspection Lab PDF

HTTPS INSPECTION
R80.10 Training
(revised: September 14, 2018)
©2018
©2015 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals 1
HTTPS Lab
HTTPS Internet traffic uses the
SSL/TLS protocol and is encrypted
to give data privacy and integrity.
However, HTTPS traffic has a

possible security risk and can hide
illegal user activity and malicious
traffic. The gateway cannot inspect
HTTPS traffic because it is
encrypted.
You can enable the HTTPS

Inspection feature to let the gateway
create new SSL/TLS connections
with the external site. The gateway
is then able to decrypt and inspect
HTTPS traffic.
©2018 Check Point Software Technologies Ltd. 2

Gateway IP: 192.168.103.1
External Network
IP: 192.168.103.x VMware:
suspend
Kali
Pen Test Tool
Internal Client
Kali
Win-Victim IP: 192.168.103.100
User: root/Cpwins1!
IP: 192.168.101.100
Default Gtwy: 192.168.103.254
User: jroberts/Cpwins1!
Default Gtwy: 192.168.101.254
DNS: 192.168.102.2 Internal Network DMZ Network
DNS: 8.8.8.8 IP: 192.168.101.x IP: 192.168.102.x
Management
&
Gateway
VMware: VMware: VMware:
suspend R80 suspend suspend
Endpoint
Endpoint Eth0: 192.168.101.254 Ubuntu Win-DC
Management Eth1: 192.168.102.254 Web Server Active Directory
Eth2: 192.168.103.254
User: admin / Cpwins1!
GUI : admin / Cpwins1! Ubuntu Win-DC
EndpointServer
Default Gtwy: 192.168.103.2
IP: 192.168.101.165 DNS: 8.8.8.8 IP: 192.168.102.5 IP: 192.168.102.2
User: admin/Cpwins1! User: admin/Cpwins1! User: Administrator /Cpwins1!
Default Gtwy: 192.168.101.254 Default Gtwy: 192.168.102.254 Domain: LAB.TEST
DNS: 192.168.102.2 Default Gtwy: 192.168.102.254
DNS: 8.8.8.8 DNS: 127.0.1.1
DNS: 192.168.103.2
DNS: 8.8.8.8
HTTPS Lab
Certificate Verification
• The HTTPS Lab requires
Application Control &
URLF blades to be
enabled.
• Edit the R80 object.
• Enable Application
Control and URL
Filtering.
• Install the policy.

HTTPS Lab
• Navigate to SECURITY POLICIES -> Access Control -> Policy.
• Click “+” to open the picker in any Services & Applications cell.
• Click Services in the upper left.
• Notice only Services are available.

HTTPS Lab
• Access the following URLs (from Win-Victim in Chrome).
̶ https://www.google.com
• The green lock shows secure.
• Use the hotkey “F12” to access Developer Tools.
• In the tabbed menu, select the right arrow, then Security.

HTTPS Lab
• Select View Certificate and Certification Path.
• Notice this is a trusted certificate issued by Google.
View Certificate
Certification Path

HTTPS Lab
Enable HTTPS Inspection
• Open the R80

object and select
HTTPS inspection.
• Click on Step 1:
Create and the CA
creation dialog
window will appear

HTTPS Lab
Enable HTTPS Inspection
Step 1: Clients will need to trust the new CA certificate. We
can export a self-signed CA certificate (containing only public
key) for later use.
 Step 2: Click Export certificate, save

as R80.cer on the Win-Victim
desktop. (copy and paste from host
laptop if needed)
Step 3: Enable HTTPS inspection and click OK.

HTTPS Lab
Validate HTTPS Policy
• Click SECURITY POLICIES, navigate to HTTPS Inspection.
• Click Open HTTPS in SmartDashboard.
Open HTTPS
Policy

HTTPS Lab
• In SmartDashboard, select Policy
• Add a rule at the top to bypass Financial Service sites as shown below.
• At the bottom of the window notice that well known update services are already
bypassed.
• Notice the blades that use HTTPS inspection.
Add Rule
Financial Services
Blades
HTTPS Lab
• In SmartDashboard, select Trusted
CAs in the left sidebar.
• If there is an update to the Trusted
CA and Blacklist file, click the Install
now button.
• Review the update list and click
Proceed.
• Within 1 - 2 minutes a window will
show if the update was successful.
• Before exiting SmartDashboard click
Menu -> File -> Update. CA Update?
• Exit SmartDashboard.
• In SmartConsole, install the policy.

HTTPS Lab
• In Chrome open a new tab and navigate to https://www.bing.com.
• Use the “F12” hotkey to view the certificate.

HTTPS Lab
Review Questions
1. Is the firewall included as one of the blades that

uses HTTPS inspection?
2. Will the certificate that we created be used for
inbound HTTPS inspection, e.g. from an external
client to an internal web server?
©2018 Check Point Software Technologies[Confidential]

Ltd. For designated groups and individuals 14
HTTPS Lab
Manual Certificate Install
• When the gateway inspects HTTPS traffic, it acts as a
Man-in-the-Middle, creating a connection between the
client and the gateway and opening another connection
from the gateway to the server, e.g. www.google.com.
• The gateway’s certificate is self-signed and not in the

trusted CA store of the browser so we expect the browser
to not trust the gateway’s certificate.
• Is there a change in the trust status of www.google.com
• Also check https://www.bing.com. (google may use QUIC)

Note: Even though Application Control is enabled on the R80 object, the current policy
doesn’t use a blade other than the firewall blade so HTTPS inspection isn’t needed. (The
behavior is different in labs that use R77.x gateways.)
HTTPS Lab
• R80.10 unifies multiple access control blades into one unified policy.
• Navigate to SECURITY POLICIES, and right click on Policy.
• Select Edit Policy.
• In Access Control, click on the menu icon, and select Edit Layer.

HTTPS Lab
• In the Layer Editor, enable Applications & URL Filtering.
• Enable Content Awareness and click OK twice.

HTTPS Lab
• In rule 4, click + in
the Services &
Applications column.
• Click All in the upper

left and notice
applications, sites
and categories can
be added to the rule.
• Without changing the

security rules, install
the policy.
(notice there is also a

Content column now.)

HTTPS Lab
• After the policy install refresh the google and bing pages.
• Is there a change in the trust status of www.google.com? How about

www.bing.com? If you like check www.amazon.com in another tab.
• Check the Log Viewer Top Services. Google connections may be

using the QUIC protocol.
• What percentage of the connections use HTTPS?
Note: Even though Application Control is enabled on the R80 object and in the policy, the
current policy doesn’t have a rule that uses a blade where HTTPS inspection is needed. Only
IP, port and services will match the connection now.
HTTPS Lab
Modify the Internal Access section to add a rule to drop with a Blocked
Message connections to Critical Risk applications and sites (see below).
The new rule will be above the existing rule that accepts any other Internal
network connections.
• Right click in the number column on rule 4

and select New Rule Above.
• Drag the Net_192.168.101.0 object from the source column in rule 5 to

the source column in the new rule 4.
• Right click the “+” in the Services & Applications column.
• To help us find “Critical Risk” from

the 8000+ entries we can search for
risk. Click + to add it.

HTTPS Lab
• In the Action column select Drop with Blocked Message.
• In the Track column select Log.
• Install the policy.
• Test the connection to google and bing again.

HTTPS Lab
• Notice the connection is not secure to HTTPS sites other
than google.
• Checking the certificate (F12) we now see it is from the

gateway.

HTTPS Lab
• To complete this section we’ll manually import the gateway
certificate into the certificate store used by the browser.
• Locate R80.cer on Win-Victim desktop.
• Click on the R80.cer CA certificate and View Certificate.
• Now start the Certificate Import Wizard by clicking Install

Certificate
Note: Make sure you install the Root CA certificate from the R80 Gateway
(R80.cer), and not the Web server certificate.
Note: It is NOT recommended to use automatic certificate store in the import wizard,
since it sometimes installs the CA certificate in the wrong store.

HTTPS Lab
 Follow the steps -import into the Trusted Root Certification Authorities store.

HTTPS Lab
• Close and open the browser
• We now see the browser trusts the gateway certificate.
R80 cert

HTTPS Lab
• Check the HTTPS policy
bypass rule.
• Browse to a banking site

like www.wellsfargo.com.
• In the logs use the HTTPS

Inspection query.
• The action should be HTTPS

Inspection
Bypass.

HTTPS Lab
To reduce the number of HTTPS logs…
• Navigate to SECURITY POLICIES -> Access Control -> HTTPS

Inspection. Click on SmartDashboard.
• Change the rule 1 policy Track Option to None.
• Save the policy via Menu -> File -> Update.
• While in SmartDashboard click Server Certificates in the left sidebar to

see where you would import server certificates for Inbound HTTPS
inspection. Exit SmartDashboard and Install the policy.
None

ADVANCED TOPICS
©2018 Check Point Software Technologies Ltd. [Confidential] For designated groups and individuals
HTTPS Lab
SSL/TLS Protocol Features
• Remember the gateway is a MitM. How secure is the
gateway’s connection to the end site?
• You can check the SSL/TLS protocol used. Go to

https://www.ssllabs.com/ssltest/viewMyClient.html.

HTTPS Best Practices Guide
SecureKnowledge sk108202
End of Lab
©2018

06 HTTPS Inspection Lab PDF

Hochgeladen von

Dokumentinformationen

Originaltitel

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

06 HTTPS Inspection Lab PDF

Hochgeladen von

Copyright:

Verfügbare Formate

HTTPS INSPECTION

However, HTTPS traffic has a

You can enable the HTTPS

©2018 Check Point Software Technologies Ltd. 2

• Edit the R80 object.

• Install the policy.

©2018 Check Point Software Technologies Ltd. 4

• Click Services in the upper left.

• Notice only Services are available.

©2018 Check Point Software Technologies Ltd. 5

• The green lock shows secure.

• Use the hotkey “F12” to access Developer Tools.

• In the tabbed menu, select the right arrow, then Security.

©2018 Check Point Software Technologies Ltd. 6

• Notice this is a trusted certificate issued by Google.

©2018 Check Point Software Technologies Ltd. 7

• Open the R80

©2018 Check Point Software Technologies Ltd. 8

 Step 2: Click Export certificate, save

Step 3: Enable HTTPS inspection and click OK.

©2018 Check Point Software Technologies Ltd. 9

©2018 Check Point Software Technologies Ltd. 10

©2018 Check Point Software Technologies Ltd. 12

©2018 Check Point Software Technologies Ltd. 13

1. Is the firewall included as one of the blades that

©2018 Check Point Software Technologies[Confidential]

• The gateway’s certificate is self-signed and not in the

• Is there a change in the trust status of www.google.com

• Also check https://www.bing.com. (google may use QUIC)

• Navigate to SECURITY POLICIES, and right click on Policy.

• Select Edit Policy.

©2018 Check Point Software Technologies Ltd. 16

• Enable Content Awareness and click OK twice.

©2018 Check Point Software Technologies Ltd. 17

• Click All in the upper

• Without changing the

(notice there is also a

©2018 Check Point Software Technologies Ltd. 18

• Is there a change in the trust status of www.google.com? How about

• Check the Log Viewer Top Services. Google connections may be

• What percentage of the connections use HTTPS?

• Right click in the number column on rule 4

• Drag the Net_192.168.101.0 object from the source column in rule 5 to

• Right click the “+” in the Services & Applications column.

• To help us find “Critical Risk” from

©2018 Check Point Software Technologies Ltd. 20

©2018 Check Point Software Technologies Ltd. 21

• Checking the certificate (F12) we now see it is from the

©2018 Check Point Software Technologies Ltd. 22

• Locate R80.cer on Win-Victim desktop.

• Click on the R80.cer CA certificate and View Certificate.

• Now start the Certificate Import Wizard by clicking Install

©2018 Check Point Software Technologies Ltd. 23

©2018 Check Point Software Technologies Ltd. 24

• We now see the browser trusts the gateway certificate.

©2018 Check Point Software Technologies Ltd. 25

• Browse to a banking site

• In the logs use the HTTPS

• The action should be HTTPS

©2018 Check Point Software Technologies Ltd. 26

• Navigate to SECURITY POLICIES -> Access Control -> HTTPS

• Change the rule 1 policy Track Option to None.

• Save the policy via Menu -> File -> Update.