The information you are about to copy is INTERNAL!
DO NOT share it with anyone outside Check Point.
Probe Bypass is initiated on non-SSL connection
Technical Level
Solution ID
sk108294
Technical Level
Product
HTTPS Inspection
Version
R77.30 (EOL)
OS
Gaia
Platform / Model
All
Date Created
21-Oct-2015
Last Modified
12-Mar-2019
Symptoms
With HTTPS Inspection enabled, the application using non-standard port for HTTP connection, causes the Probe Bypass feature to run on the connection, resulting in holding SYN until it times out.
Kernel debug shows that port of the connection is not 443 but 8080:
Then rulebase returned possible match and feature is enabled:
PID:{ssl_insp} fw_https_inspection_exe_rulebase_SYN_ex: rulebase match returned: POSSIBLE;
PID:{ssl_insp} fw_https_inspection_exe_rulebase_SYN_ex: status is 'POSSIBLE';
PID:{ssl_insp} fw_https_inspection_exe_rulebase_SYN_ex: _chain->packetid = 148692520;
PID:{ssl_insp} fw_https_inspection_exe_rulebase_SYN_ex: found = 0;
PID:{ssl_insp} fw_https_inspection_exe_rulebase_SYN_ex: enhanced_ssl_inspection = 1;
Then SYN packet put on HOLD:
fw_handle_first_packet: Rulebase returned HOLD;
fw_handle_first_packet: match on rule 1;
fw_rule_count_count: counting one more connection on rule 1 (total 31563);
fw_service_count_count: not counting service since service count is disabled;
fw_filter_chain: handle_first_packet returned action HOLD for new conn;
fw_filter_chain: Final switch, action=HOLD;
With enhanced_ssl_inspection property set to 0, problem does not happen.