Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)
Introduction
SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic. This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies. SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable.
An integrated F5 and CheckPoint Firewall solution eliminates the blind spots introduced by SSL/TLS encrypted content.
Versions Tested
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain
F5 BIG-IP version 17.1
SSL Orchestrator version 11.0
CheckPoint Gaia R81.20
CheckPoint SmartConsole version 81.20.9700.641
CheckPoint Firewall will be configured in Bridging mode (L2)
Additional Help
If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE
For information on SSL Certificate considerations and trust, click HERE
Demo video:
VMware ESX Configuration
Create the following 4 Port Groups:
Network-North
Network-South
New-Checkpoint-Egress
New-Checkpoint-Ingress
Attach them to a vSwitch, CheckPoint-Switch in this example:
Configure the BIG-IP virtual settings as follows:
NOTE:
VM Network is used for Management
Network-North is used for connectivity to the North side of the network
Network-South is used for connectivity to the South side of the network
New-Checkpoint-Egress is used for connections from BIG-IP to the CheckPoint Firewall
New-Checkpoint-Ingress is used for connections from the CheckPoint Firewall to the BIG-IP
Configure the CheckPoint Firewall virtual settings as follows:
NOTE:
VM Network is used for Management
New-Checkpoint-Egress is used for connections from BIG-IP to the CheckPoint Firewall
New-Checkpoint-Ingress is used for connections from the CheckPoint Firewall to the BIG-IP
CheckPoint Firewall Configuration
Using a web browser connect to the GAIA Portal. Under Network Management select Network Interfaces.
Network interfaces cannot have an IP address when being added to a Bridge. In this example we’ll use eth1 and eth2.
Click Add then select Bridge
Set a Bridge Group number, 10 in this case. Add eth1 and eth2 to Chosen Interfaces. Click OK
Launch the Smart Console and log in. Double click on the firewall you want to configure, check-fw1 in this example.
Select Network Management
Select Get Interfaces then choose one of the options, Without Topology in this example.
The Topology Results should look like the following.
Click Accept then OK. Click Publish at the top.
Click Publish again
Click Security Policies on the left
Change the Action from Drop to Accept.
Click Publish then Publish again
When that completes click Install Policy
Click Install
NOTE: in this example the policy is installed on a single firewall. Your setup may differ.
At this point the CheckPoint Firewall should be configured properly with a network Bridge and associated policy.
BIG-IP SSL Orchestrator Configuration
The BIG-IP VLAN settings should look like the following:
Egress is the VLAN used for connections from BIG-IP to the CheckPoint Firewall
Ingress is the VLAN used for connections from the CheckPoint Firewall to the BIG-IP
Network_North is used for network connectivity from the BIG-IP to the North
Network_South is used for network connectivity from the BIG-IP to the South
Create the CheckPoint Firewall Service
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.
Navigate to SSL Orchestrator > Configuration.
Under Services, click Add.
In the Service Catalog select the Inline L2 tab then double click on Check Point Security Gateway Inline Layer 2
Give it a name, CheckPoint in this example, then click Add.
For the To Service VLAN select Egress
For the From Service VLAN select Ingress
Click Done
Enable Port Remap. Set the Remap Port to 80. Click Save and Next.
Click the name of the Service Chain.
Select the CheckPoint Service from the left and click the arrow to move it to the right. Click Save.
Click OK
Click Save & Next at the bottom.
Click Deploy
Click OK to the Success message.
When done it should look like the following:
From the Services screen if you expand the Pool Member Status you should see the CheckPoint Firewall
Testing the Configuration
In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:
Test this connection now and it should look like the following:
We’ll use tcpdump on the BIG-IP to verify connectivity.
The capture from the Network_South vlan shows the encrypted HTTPS request
The capture from the Egress vlan shows plain text HTTP content being sent to the CheckPoint Firewall for Inspection
Conclusion
This completes configuration of BIG-IP SSL Orchestrator with CheckPoint Firewall. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the CheckPoint Service and inspected for malicious payloads or policy violations.