The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Probe Bypass is initiated on non-SSL connection
| Solution ID |
sk108294 |
| Product |
HTTPS Inspection |
| Version |
R77.30 |
| OS |
Gaia |
| Platform / Model |
All |
| Date Created |
21-Oct-2015
|
| Last Modified |
12-Mar-2019
|
Symptoms
- With HTTPS Inspection enabled, the application using non-standard port for HTTP connection, causes the Probe Bypass feature to run on the connection, resulting in holding SYN until it times out.
- Kernel debug shows that port of the connection is not 443 but 8080:
fwconn_lookup: conn <dir 0, 192.168.10.159:14125 -> 166.125.252.208:8080 IPP 6>;
Then rulebase returned possible match and feature is enabled:
PID:{ssl_insp} fw_https_inspection_exe_rulebase_SYN_ex: rulebase match returned: POSSIBLE;
PID:{ssl_insp} fw_https_inspection_exe_rulebase_SYN_ex: status is 'POSSIBLE';
PID:{ssl_insp} fw_https_inspection_exe_rulebase_SYN_ex: _chain->packetid = 148692520;
PID:{ssl_insp} fw_https_inspection_exe_rulebase_SYN_ex: found = 0;
PID:{ssl_insp} fw_https_inspection_exe_rulebase_SYN_ex: enhanced_ssl_inspection = 1;
Then SYN packet put on HOLD:
fw_handle_first_packet: Rulebase returned HOLD;
fw_handle_first_packet: match on rule 1;
fw_rule_count_count: counting one more connection on rule 1 (total 31563);
fw_service_count_count: not counting service since service count is disabled;
fw_filter_chain: handle_first_packet returned action HOLD for new conn;
fw_filter_chain: Final switch, action=HOLD;
- With
enhanced_ssl_inspection property set to 0, problem does not happen.
Solution
|
Note: To view this solution you need to
Sign In
.
|
