Integrating SSL Orchestrator with CheckPoint Firewall VM-Explicit Proxy

Introduction

SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic.  This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies.  SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable.

An integrated F5 and CheckPoint Firewall solution eliminates the blind spots introduced by SSL/TLS encrypted content.

Versions Tested

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain

F5 BIG-IP version 17.1

SSL Orchestrator version 11.0

CheckPoint Gaia R81.20

CheckPoint SmartConsole version 81.20.9700.641

CheckPoint Firewall will be configured as an Explicit Proxy

Additional Help

If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE

For information on SSL Certificate considerations and trust, click HERE

Video demo

VMware ESX Configuration

Create the following 3 Port Groups:

Network-North

Network-South

New-CheckPoint-Egress

Attach them to a vSwitch, CheckPoint-Switch in this example:

Configure the BIG-IP virtual network settings as follows:

NOTE:

VM Network is used for Management

Network-North is used for connectivity to the North side of the network

Network-South is used for connectivity to the South side of the network

New-CheckPoint-Egress is used for connections from/to the BIG-IP and the CheckPoint Firewall

Configure the CheckPoint Firewall virtual network settings as follows:

NOTE:

VM Network is used for Management

New-CheckPoint-Egress is used for connections from/to the BIG-IP and the CheckPoint Firewall

CheckPoint Firewall Configuration

Using a web browser connect to the GAIA Portal.  Under Network Management select Network Interfaces.

In this example eth1 is being used for incoming and outgoing connections from/to the BIG-IP and the CheckPoint Firewall.  It has an IP address of 10.0.0.5.

NOTE: eth2 is not used in this example

10.0.0.5 will need a route or default gateway that is the BIG-IP Self IP of 10.0.0.1 (to be configured later).

This example uses a closed network, a Static Route is added so the CheckPoint knows where to send connections destined for 192.168.0.5 (this is the IP address of the web server we will be using to test this).

Launch the Smart Console and log in.  Double click on the firewall you want to configure, check-fw1 in this example.

Enable the HTTP/HTTPS Proxy with the following settings. Click OK when done.

Double click on check-fw1 again. Select Network Management

Select Get Interfaces then choose With Topology in this example.

The Topology Results should look like the following.

Click Accept then OK. 

NOTE: Typically eth1 (10.0.0.5) should be defined as Internal.

Double click on the interface name to configure this.

For eth1 click Modify.

Set “Leads To” to Internal. Click OK

Click Publish at the top.

Click Publish again

Click Security Policies on the left

Change the Action from Drop to Accept

NOTE: This is just an example for this article. Normally you would not set a firewall policy to Any/Any/Accept

Select NAT and create a new NAT rule like the following:

Set the Original Source to 10.0.0.1.  Set the Original Destination to 10.0.0.5.  Set the Translated Source to 10.0.0.5.  Set Install On to the correct CheckPoint Firewall.

Click Publish then Publish again

When that completes click Install Policy

Click Install

NOTE: in this example the policy is installed on a single firewall.  Your setup may differ.

At this point the CheckPoint Firewall should be configured properly with an Access Control Policy and NAT

BIG-IP SSL Orchestrator Configuration

The BIG-IP VLAN settings should look like the following:

Egress is the VLAN used for connections from/to the BIG-IP and the CheckPoint Firewall

North_vlan is used for network connectivity from the BIG-IP to the North

South_vlan is used for network connectivity from the BIG-IP to the South

Create the following Self IP

10.0.0.1 is used for connections from/to the BIG-IP and the CheckPoint Firewall.  The VLAN is set to Egress.

This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.

Navigate to SSL Orchestrator > Configuration.

Create the CheckPoint Firewall Service

Under Services, click Add.

In the Service Catalog select the Inline HTTP tab then double click on Generic HTTP Service

Give it a name, CheckPoint in this example. Uncheck the box to Auto Manage Addresses. Set the Proxy Type to Explicit.

For the To Service VLAN select 10.0.0.1/24

For HTTP Proxy Devices click Add

Enter 10.0.0.5 for the IP Address. Enter 8080 for the Port. Click Done

For the From Service select 10.0.0.1/24

Set Manage SNAT Settings to Auto Map. Click Save and Next.

Click the name of the Service Chain.

Select the CheckPoint Service from the left and click the arrow to move it to the right.  Click Save.

Click OK

Click Save & Next at the bottom.

Click Deploy

Click OK to the Success message.

When done it should look like the following:

From the Services screen if you expand the Pool Member Status you should see the CheckPoint Firewall

Testing the Configuration

In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:

https://192.168.0.5

Test this connection now and it should look like the following:

We’ll use tcpdump on the BIG-IP to verify connectivity.

The capture from the Network_South vlan shows the encrypted HTTPS request

The capture from the Egress vlan shows plain text HTTP content being sent to the CheckPoint Firewall for Inspection

NOTE: Some of the requests are identified as “webcache” due to using HTTP port 8080.

Check the log file on the CheckPoint Firewall. Launch the SmartConsole and click LOGS & MONITOR. Double click on the entry highlighted below for more detail.

Here we can see the connection was Accepted. We can also see the Service is http on TCP port 8080.

Conclusion

This completes configuration of BIG-IP SSL Orchestrator with CheckPoint Firewall. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the CheckPoint Service and inspected for malicious payloads or policy violations.

Related Articles

Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)  

Integrating SSL Orchestrator with CheckPoint Firewall VM-Transparent Proxy - DevCentral