Wednesday, September 10, 2014

How to Block https connections using Check Point.



  Problem Description:

Customer wants to block https connections using URL filtering.
Existing URL filtering blade doesnt block https connections like https://www.facebook.com.
However it does block http connections.


 Requirement:

Check Point R75.20

If you are running any older version of Check Point then you will not be able to block https connections.
Check Point's R75.20 release will allow admins to inspect https connection and thus block the same.


 Background:

[You can Ignore this section and move on unless you want to understand the things happening in background]

HTTPs connections are secure connections as all packets leaving your laptop/computer is encrypted and will only be decrypted by the remote Wed server.
No one can sniff those packets to look what data is being transferred through HTTPs connection.Therefore, all banking websites are enabled to work with
HTTPs protocol. By enabling HTTPs inspection on Firewall the Firewall Gateway will break that connection into two parts. First part of the Connection is
between your laptop/computer to Firewall Gateway and Second part of the Connection is between the Firewall Gateway to Actual Website.

Eveytime a user tryies to access any HTTPs site Firewall Gateway will offer its pwn Certificate and at the same time initiates a connection to Actual Website.
Since the Certificate offered by Firewall Gateway is self signed users will start receiving certificate warnings when they try to access any https website,
I am assuming you have not purchased a new certificate from 3rd party vendors like Verisign etc and installed on Firewall Gateway. You can install the Firewall's
certifate on your laptop to get rid of these annoying warning messages. Since the connection is now encrypted between user laptop/Desktop to Firewall Gateway,
Firewall can now inspect the data and block the same as per requirement. Traffic between Firewall and actual Website is also encrypted so there is no compromise on security.


 How to configure:


 1. First of all you need to enable https inspection on Gateway and enable URL filtering Blade.

On Smart Dashboard Click on Firewall Gateway > General Properties > HTTPS Inspection:



 Step 1. Click on Create. Enter Details and click OK. You can enter anything you want under Issued By (DN) but it is good practice to add your companie's domain.






 Step 2. You can ignore this part at this moment.

 Step 3. Select the check box "Enable HTTPS Inspection". Click OK. Ingnore the warning and click OK again.



Click General Properties -> Select URL Filtering Blade. Click OK.





 2. Now Click on Application and URL Filtering Tab in Smart Dashboard.





 3. Create facebook site.

 Step a.Click Applications/Sites > New Applications/Site.



 Step b. Enter the name of Application/Site as > MYFacebook .Click Next.



 Step c.Click Applications/Sites > Enter *.facebook.com and Click Add.



 Step d. Leave the Default Primary Category As "Custom Application/Site". Click Next.



 Step e. Click Finish.


 4. Now on Application & URL Filtering Tab Click on Policy.




 5. Create a rule like this. Source = any; Destination = Internet; Applications/Sites: Select the Object 'MYFacebook' which you have created above.; Action = Block, Blocked Message; Track = Log.



 6. Push Policy.






 7. Now https://www.facebook.com is blocked and users will received "Blocked Message" when they try to access facebook.


 Additional Information:

1. R75.20 requires Software Blade Licenses and will not work with old NGX license.

2. HTTPs Inspection should be used with other blades to make some sense. Otherwise there is no need to enable HTTPs
inspection if you dont want to inspect the packet using other blades.

3. HTTPs Inspection works with IPS,URL Filtering, Application Control, Anti Virus and DLP Blade.

4. To Block HTTPs connection you need URL Filtering OR Application Control Blade License. Above Steps assumes that
you have URL Filtering Blade License.

5. If you dont have URL Filtering Blade and you want to block HTTP sites using Application Control Blade then in Step 5
Above Just Select the inbuilt Facebook object instead of your own Custome Object MYFacebook.

6. The moment you enable HTTPs inspection anyone accessing HTTPs website from internal Network will start receiving
certificate warnings. They have two options. a. Install the CA certificate b. Ignore the warining everytime. Leave your comment
if you want to know "how to Install CA certificate in Browser to get rid of certificate warnings.".

7. To know about differences between Legacy URL Filtering and New URL Filtering Blade refer sk65124.


 Important:

1. WIth R75.20 you can update your application control database and it will automatically block https connections to facebook and other sites. No need to follow steps above.
2. With R75.40 you can even block Utrasurf and Tor. Remeber that these protocols/applocations were not blocked earlier.

No comments: