on - edited on by
LiefZimmerman
Introduction
SSL Orchestrator centralizes & manages decryption of SSL/TLS traffic. This enables security and monitoring tools to view the decrypted content and analyze it for threats and other anomalies. SSL Orchestrator removes the burden of decrypting content from your security tools so they perform better and are more scalable.
An integrated F5 and CheckPoint Firewall solution eliminates the blind spots introduced by SSL/TLS encrypted content.
Versions Tested
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain
F5 BIG-IP version 17.1
SSL Orchestrator version 11.0
CheckPoint Gaia R81.20
CheckPoint SmartConsole version 81.20.9700.641
CheckPoint Firewall will be configured as an Explicit Proxy
Additional Help
If setting up SSL Orchestrator for the first time refer to the Deployment Guide available HERE
For information on SSL Certificate considerations and trust, click HERE
Video demo
VMware ESX Configuration
Create the following 3 Port Groups:
Network-North
Network-South
New-CheckPoint-Egress
Attach them to a vSwitch, CheckPoint-Switch in this example:
Configure the BIG-IP virtual network settings as follows:
NOTE:
VM Network is used for Management
Network-North is used for connectivity to the North side of the network
Network-South is used for connectivity to the South side of the network
New-CheckPoint-Egress is used for connections from/to the BIG-IP and the CheckPoint Firewall
Configure the CheckPoint Firewall virtual network settings as follows:
NOTE:
VM Network is used for Management
New-CheckPoint-Egress is used for connections from/to the BIG-IP and the CheckPoint Firewall
CheckPoint Firewall Configuration
Using a web browser connect to the GAIA Portal. Under Network Management select Network Interfaces.
In this example eth1 is being used for incoming and outgoing connections from/to the BIG-IP and the CheckPoint Firewall. It has an IP address of 10.0.0.5.
NOTE: eth2 is not used in this example
10.0.0.5 will need a route or default gateway that is the BIG-IP Self IP of 10.0.0.1 (to be configured later).
This example uses a closed network, a Static Route is added so the CheckPoint knows where to send connections destined for 192.168.0.5 (this is the IP address of the web server we will be using to test this).
Launch the Smart Console and log in. Double click on the firewall you want to configure, check-fw1 in this example.
Enable the HTTP/HTTPS Proxy with the following settings. Click OK when done.
Double click on check-fw1 again. Select Network Management
Select Get Interfaces then choose With Topology in this example.
The Topology Results should look like the following.
Click Accept then OK.
NOTE: Typically eth1 (10.0.0.5) should be defined as Internal.
Double click on the interface name to configure this.
For eth1 click Modify.
Set “Leads To” to Internal. Click OK
Click Publish at the top.
Click Publish again
Click Security Policies on the left
Change the Action from Drop to Accept
NOTE: This is just an example for this article. Normally you would not set a firewall policy to Any/Any/Accept
Select NAT and create a new NAT rule like the following:
Set the Original Source to 10.0.0.1. Set the Original Destination to 10.0.0.5. Set the Translated Source to 10.0.0.5. Set Install On to the correct CheckPoint Firewall.
Click Publish then Publish again
When that completes click Install Policy
Click Install
NOTE: in this example the policy is installed on a single firewall. Your setup may differ.
At this point the CheckPoint Firewall should be configured properly with an Access Control Policy and NAT
BIG-IP SSL Orchestrator Configuration
The BIG-IP VLAN settings should look like the following:
Egress is the VLAN used for connections from/to the BIG-IP and the CheckPoint Firewall
North_vlan is used for network connectivity from the BIG-IP to the North
South_vlan is used for network connectivity from the BIG-IP to the South
Create the following Self IP
10.0.0.1 is used for connections from/to the BIG-IP and the CheckPoint Firewall. The VLAN is set to Egress.
This article assumes you have SSL Orchestrator configured with a Topology and Service Chain.
Navigate to SSL Orchestrator > Configuration.
Create the CheckPoint Firewall Service
Under Services, click Add.
In the Service Catalog select the Inline HTTP tab then double click on Generic HTTP Service
Give it a name, CheckPoint in this example. Uncheck the box to Auto Manage Addresses. Set the Proxy Type to Explicit.
For the To Service VLAN select 10.0.0.1/24
For HTTP Proxy Devices click Add
Enter 10.0.0.5 for the IP Address. Enter 8080 for the Port. Click Done
For the From Service select 10.0.0.1/24
Set Manage SNAT Settings to Auto Map. Click Save and Next.
Click the name of the Service Chain.
Select the CheckPoint Service from the left and click the arrow to move it to the right. Click Save.
Click OK
Click Save & Next at the bottom.
Click Deploy
Click OK to the Success message.
When done it should look like the following:
From the Services screen if you expand the Pool Member Status you should see the CheckPoint Firewall
Testing the Configuration
In this example there is a Windows client that connects through the SSL Orchestrator to a Windows server running the following web site:
Test this connection now and it should look like the following:
We’ll use tcpdump on the BIG-IP to verify connectivity.
The capture from the Network_South vlan shows the encrypted HTTPS request
The capture from the Egress vlan shows plain text HTTP content being sent to the CheckPoint Firewall for Inspection
NOTE: Some of the requests are identified as “webcache” due to using HTTP port 8080.
Check the log file on the CheckPoint Firewall. Launch the SmartConsole and click LOGS & MONITOR. Double click on the entry highlighted below for more detail.
Here we can see the connection was Accepted. We can also see the Service is http on TCP port 8080.
Conclusion
This completes configuration of BIG-IP SSL Orchestrator with CheckPoint Firewall. At this point traffic that flows through SSL Orchestrator will be decrypted and sent to the CheckPoint Service and inspected for malicious payloads or policy violations.
Related Articles
Integrating SSL Orchestrator with CheckPoint Firewall VM-Bridge Mode (L2)
Integrating SSL Orchestrator with CheckPoint Firewall VM-Transparent Proxy - DevCentral
