Monday, January 28, 2019

HTTPS Inspection Bypass mechanism - Probe Bypass



Improvements in HTTPS Inspection Bypass mechanism - Probe Bypass


Important Note: Probe Bypass should not be used if there is a proxy between the Security Gateway and the Internet.
Limitations of HTTPS Inspection Bypass Mechanism without Probe Bypass:
  • Every first connection to a site is inspected even if it should have been bypassed according to the policy.
  • Non-Browser Applications connections are dropped when HTTPS Inspection is enabled (even if bypass is configured).
  • Client certificate connections are dropped when HTTPS Inspection is enabled (even if bypass is configured).
Improvements introduced by Probe Bypass:
  • Bypass mechanism was improved to better reflect policy and resolve the above limitations:
    • Stop the inspection of the first connection to bypassed sites.
    • Allow bypass of Non-Browser Applications connections.
    • Allow Bypass of connections to servers that require client certificate.
  • New probing mechanism eliminates the need to inspect the first connection to an IP address unless it is required by the policy.
Limitations of HTTPS Inspection Bypass Mechanism with enabled Probe Bypass:
  • HTTPS Inspection will not work for sites that require SNI extension in the SSL "Client hello" packet.
    Note: There is now a hotfix for Probe Bypass and sites that uses SNI (for R80.10). You will need to contact your SE and open a Request for Enhancement to receive it.
Status of Improved HTTPS Inspection Bypass feature (Probe Bypass) is controlled by the value of kernel parameter enhanced_ssl_inspection:
ValueExplanation
0Default value.
Probe Bypass is disabled.
1Probe Bypass is enabled.
Note: The steps below will affect all Virtual Systems in VSX mode.
To enable the Improved HTTPS Inspection Bypass feature (Probe Bypass) on Security Gateway / each cluster member, set the value of kernel parameter enhanced_ssl_inspection to 1.
  • To check the current value of a kernel parameter:
    [Expert@HostName]# fw ctl get int enhanced_ssl_inspection
  • To set the desired value for a kernel parameter on-the-fly (does not survive reboot):
    [Expert@HostName]# fw ctl set int enhanced_ssl_inspection 1
  • To set the desired value for a kernel parameter permanently:
    Follow sk26202 (Changing the kernel global parameters for Check Point Security Gateway).
    1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):
      [Expert@HostName]# touch $FWDIR/boot/modules/fwkern.conf
    2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:
      [Expert@HostName]# vi $FWDIR/boot/modules/fwkern.conf
    3. Add the following line (spaces and comments are not allowed):
      enhanced_ssl_inspection=1
    4. Save the changes and exit from Vi editor.
    5. Check the contents of the $FWDIR/boot/modules/fwkern.conf file:
      [Expert@HostName]# cat $FWDIR/boot/modules/fwkern.conf
    6. Reboot the Security Gateway / each cluster member.
To disable the Probe Bypass on Security Gateway / each cluster member, follow the steps above to set the value of kernel parameter enhanced_ssl_inspection to 0.
In addition, refer to:
Posted by at