Integrating SSL Orchestrator with CheckPoint Firewall VM-Transparent Proxy
Introduction
SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic. This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies. SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable.
An integrated F5 and CheckPoint Firewall solution eliminates the blind spots introduced by SSL/TLS encrypted content.
Versions Tested
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain
F5 BIG-IP version 17.1
SSL Orchestrator version 11.0
CheckPoint Gaia R81.20
CheckPoint SmartConsole version 81.20.9700.641
CheckPoint Firewall will be configured as a Transparent Proxy
Additional Help
If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE
For information on SSL Certificate considerations and trust, click HERE
Video Demo
VMware ESX Configuration
Create the following 4 Port Groups:
Network-North
Network-South
New-Checkpoint-Egress
New-Checkpoint-Ingress
Attach them to a vSwitch, CheckPoint-Switch in this example:
Configure the BIG-IP virtual settings as follows:
NOTE:
VM Network is used for Management
Network-North is used for connectivity to the North side of the network
Network-South is used for connectivity to the South side of the network
New-Checkpoint-Egress is used for connections from BIG-IP to the CheckPoint Firewall
New-Checkpoint-Ingress is used for connections from the CheckPoint Firewall to the BIG-IP
Configure the CheckPoint Firewall virtual settings as follows:
NOTE:
VM Network is used for Management
New-Checkpoint-Egress is used for connections from BIG-IP to the CheckPoint Firewall
New-Checkpoint-Ingress is used for connections from the CheckPoint Firewall to the BIG-IP
CheckPoint Firewall Configuration
Using a web browser connect to the GAIA Portal. Under Network Management select Network Interfaces.
In this example eth1 is being used for incoming connections from the BIG-IP and has an IP address of 10.0.0.5. Eth2 is being used for outgoing connections to the BIG-IP and has an IP address of 10.1.1.5.
The outgoing IP address, 10.1.1.5 will need a route or default gateway that is the BIG-IP Self IP of 10.1.1.1 (to be configured later).
This example uses a closed network, a Static Route is added so the CheckPoint knows where to send connections destined for 192.168.0.5 (this is the IP address of the web server we will be using to test this).
Launch the Smart Console and log in. Double click on the firewall you want to configure, check-fw1 in this example.
To create a simple NAT policy, click NAT. Check the box to Hide internal networks behind the Gateway’s external IP. Click OK.
Double click on check-fw1 again. Select Network Management
Select Get Interfaces then choose With Topology in this example.
The Topology Results should look like the following.
Click Accept then OK.
NOTE: Typically eth1 (10.0.0.5) should be defined as Internal and eth2 should be defined as External. However, in this example both interfaces are defined as Internal since this is a closed network.
Double click on the interface name to configure this.
For eth1 click Modify.
Set “Leads To” to Internal. Click OK
Double click on eth2. Click Modify.
You can change “Leads To” to Internet (External). Click OK
Click Publish at the top.
Click Publish again
Click Security Policies on the left
Change the Action from Drop to Accept
NOTE: This is just an example for this article. Normally you would not set a firewall policy to Any/Any/Accept
NOTE: A more granular NAT policy can be configured here instead of using the simple check box.
Click Publish then Publish again
When that completes click Install Policy
Click Install
NOTE: in this example the policy is installed on a single firewall. Your setup may differ.
At this point the CheckPoint Firewall should be configured properly with an Access Control Policy
BIG-IP SSL Orchestrator Configuration
The BIG-IP VLAN settings should look like the following:
Egress is the VLAN used for connections from BIG-IP to the CheckPoint Firewall
Ingress is the VLAN used for connections from the CheckPoint Firewall to the BIG-IP
North_vlan is used for network connectivity from the BIG-IP to the North
South_vlan is used for network connectivity from the BIG-IP to the South
Create the following Self IPs
10.0.0.1 is used for connections from BIG-IP to the CheckPoint Firewall. The VLAN is set to Egress.
10.1.1.1 is used for connections from the CheckPoint Firewall to BIG-IP. The VLAN is set to Ingress.
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.
Navigate to SSL Orchestrator > Configuration.
Create the CheckPoint Firewall Service
Under Services, click Add.
In the Service Catalog select the Inline HTTP tab then double click on Generic HTTP Service
Give it a name, CheckPoint in this example. Uncheck the box to Auto Manage Addresses. Set the Proxy Type to Transparent.
For the To Service VLAN select 10.0.0.1/24
For HTTP Proxy Devices click Add
Enter 10.0.0.5 for the IP Address. Click Done
For the From Service select 10.1.1.1/24
Enable Port Remap. Set the Remap Port to 80. Set Manage SNAT Settings to Auto Map. Click Save and Next.
Click the name of the Service Chain.
Select the CheckPoint Service from the left and click the arrow to move it to the right. Click Save.
Click OK
Click Save & Next at the bottom.
Click Deploy
Click OK to the Success message.
When done it should look like the following:
From the Services screen if you expand the Pool Member Status you should see the CheckPoint Firewall
Testing the Configuration
In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:
Test this connection now and it should look like the following:
We’ll use tcpdump on the BIG-IP to verify connectivity.
The capture from the Network_South vlan shows the encrypted HTTPS request
The capture from the Egress vlan shows plain text HTTP content being sent to the CheckPoint Firewall for Inspection
Check the log file on the CheckPoint Firewall. Launch the SmartConsole and click LOGS & MONITOR. Double click on the entry highlighted below for more detail.
Here we can see the connection was Accepted. We can also see the Service is http on TCP port 80.
Conclusion
This completes configuration of BIG-IP SSL Orchestrator with CheckPoint Firewall. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the CheckPoint Service and inspected for malicious payloads or policy violations.
Related Articles
Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)
Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy