Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)

Introduction

SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic.  This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies.  SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable.

An integrated F5 and CheckPoint Firewall solution eliminates the blind spots introduced by SSL/TLS encrypted content.

Versions Tested

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain

F5 BIG-IP version 17.1

SSL Orchestrator version 11.0

CheckPoint Gaia R81.20

CheckPoint SmartConsole version 81.20.9700.641

CheckPoint Firewall will be configured in Bridging mode (L2)

Additional Help

If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE

For information on SSL Certificate considerations and trust, click HERE

Demo video:

VMware ESX Configuration

Create the following 4 Port Groups:

Network-North

Network-South

New-Checkpoint-Egress

New-Checkpoint-Ingress

Attach them to a vSwitch, CheckPoint-Switch in this example:

Configure the BIG-IP virtual settings as follows:

NOTE:

VM Network is used for Management

Network-North is used for connectivity to the North side of the network

Network-South is used for connectivity to the South side of the network

New-Checkpoint-Egress is used for connections from BIG-IP to the CheckPoint Firewall

New-Checkpoint-Ingress is used for connections from the CheckPoint Firewall to the BIG-IP

Configure the CheckPoint Firewall virtual settings as follows:

NOTE:

VM Network is used for Management

New-Checkpoint-Egress is used for connections from BIG-IP to the CheckPoint Firewall

New-Checkpoint-Ingress is used for connections from the CheckPoint Firewall to the BIG-IP

CheckPoint Firewall Configuration

Using a web browser connect to the GAIA Portal.  Under Network Management select Network Interfaces.

Network interfaces cannot have an IP address when being added to a Bridge. In this example we’ll use eth1 and eth2.

Click Add then select Bridge

Set a Bridge Group number, 10 in this case.  Add eth1 and eth2 to Chosen Interfaces.  Click OK

Launch the Smart Console and log in.  Double click on the firewall you want to configure, check-fw1 in this example.

Select Network Management

Select Get Interfaces then choose one of the options, Without Topology in this example.

The Topology Results should look like the following.

Click Accept then OK.  Click Publish at the top.

Click Publish again

Click Security Policies on the left

Change the Action from Drop to Accept.

Click Publish then Publish again

When that completes click Install Policy

Click Install

NOTE: in this example the policy is installed on a single firewall.  Your setup may differ.

At this point the CheckPoint Firewall should be configured properly with a network Bridge and associated policy.

BIG-IP SSL Orchestrator Configuration

The BIG-IP VLAN settings should look like the following:

Egress is the VLAN used for connections from BIG-IP to the CheckPoint Firewall

Ingress is the VLAN used for connections from the CheckPoint Firewall to the BIG-IP

Network_North is used for network connectivity from the BIG-IP to the North

Network_South is used for network connectivity from the BIG-IP to the South

Create the CheckPoint Firewall Service

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.

Navigate to SSL Orchestrator > Configuration.

Under Services, click Add.

In the Service Catalog select the Inline L2 tab then double click on Check Point Security Gateway Inline Layer 2

Give it a name, CheckPoint in this example, then click Add.

For the To Service VLAN select Egress

For the From Service VLAN select Ingress

Click Done

Enable Port Remap.  Set the Remap Port to 80.  Click Save and Next.

Click the name of the Service Chain.

Select the CheckPoint Service from the left and click the arrow to move it to the right.  Click Save.

Click OK

Click Save & Next at the bottom.

Click Deploy

Click OK to the Success message.

When done it should look like the following:

From the Services screen if you expand the Pool Member Status you should see the CheckPoint Firewall

Testing the Configuration

In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:

https://192.168.0.5

Test this connection now and it should look like the following:

We’ll use tcpdump on the BIG-IP to verify connectivity.

The capture from the Network_South vlan shows the encrypted HTTPS request

The capture from the Egress vlan shows plain text HTTP content being sent to the CheckPoint Firewall for Inspection

Conclusion

This completes configuration of BIG-IP SSL Orchestrator with CheckPoint Firewall. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the CheckPoint Service and inspected for malicious payloads or policy violations.