Support Center > Search Results > SecureKnowledge Details
Difficulties in connecting to untrusted sites when both HTTPS Inspection and CoreXL Dynamic Dispatcher are enabled
Symptoms
  • Difficulties in connecting to untrusted sites through R77.30 Security Gateway in the following scenario:

    1. HTTPS Inspection is enabled on Security Gateway (per Application Control and URL Filtering Administration Guide - Chapter "Managing Application Control and URL Filtering" - "HTTPS Inspection")
    2. CoreXL Dynamic Dispatcher is enabled on Security Gateway (per sk105261)
    3. Client behind Security Gateway connects to an untrusted site (site with self-signed, or expired certificate)
  • Client's web browser displays a message about untrusted certificate, but after adding a security exception, the same message is displayed again (and this cycle is repeated several times):

    • Chrome:

      Your connection is not private

      This server could not prove that it is <URL_or_IP_ADDRESS>; its security certificate is not trusted by your computer's operating system.

      After clicking on "Proceed to <URL_or_IP_ADDRESS> (unsafe)", the same message is displayed again.
    • Firefox:

      This Connection is Untrusted

      You have asked Firefox to connect securely to <URL_or_IP_ADDRESS>, but we can't confirm that your connection is secure.

      Normally, when you try to connect securely, sites will present trusted identification to prove that you are going to the right place. However, this site's identity can't be verified.

      After clicking on "Add Exception..." button and then on "Confirm Security Exception" button, the same message is displayed again.
    • Opera:

      Invalid certificate

      Opera cannot verify the identity of the server "<URL_or_IP_ADDRESS>", due to a certificate problem. The server could be trying to trick you. Would you like to continue to the server?

      After clicking on "Continue Anyway" button, the same message is displayed again.
  • This issue was not reported in Internet Explorer browser:

    1. Upon connecting to the HTTPS site, the following message is displayed:
      The security certificate presented by this website was not issued by a trusted certificate authority.
      The security certificate presented by this website was issued for a different website's address.
    2. After clicking on "Continue to this website (not recommended)", user is able to connect to the untrusted HTTPS site.
Cause

When first connecting to an untrusted site (a site with self-signed, or expired certificate), an HTTPS Inspection wstlsd daemon (that runs on each CoreXL FW Instance) generates a certificate, for which the web browser adds a security exception (manually by the user).

When CoreXL Dynamic Dispatcher is enabled, the second connection opened after the security exception is approved, might be handled by a different wstlsd daemon (on a different CoreXL FW Instance), resulting in another certificate being generated.

As a result, the web browser security exception does not work.


Solution

HTTPS Inspection works well for all trusted sites. In some scenarios, inspection of untrusted sites might be problematic.

If HTTPS Inspection is enabled, and the Security Gateway is behind Proxy, then add the proxy port to dynamic dispatching bypass list:

# Current hotfix installed on Security Gateway Instructions
1 Hotfix from sk109772 - R77.30 NGTP, NGTX and HTTPS Inspection performance and memory consumption optimization is installed on Security Gateway
  1. Connect to command line on Security Gateway.

  2. Log in to Expert mode.

  3. Add the Proxy port to dynamic dispatching bypass list:

    [Expert@HostName:0]# fw ctl multik add_bypass_port <Proxy_Port_1>,<Proxy_Port_2>,...,<Proxy_Port_N>

  4. Check that the configuration was saved:

    [Expert@HostName:0]# fw ctl multik show_bypass_ports

Notes:

  • To remove a proxy port, run:
    fw ctl multik del_bypass_port <Proxy_Port>
  • Both the "fw ctl multik add_bypass_port" command and "fw ctl multik del_bypass_port" command save the required configuration in the $FWDIR/conf/dispatcher_bypass.conf file. Meaning, it survives reboot.
  • The $FWDIR/conf/dispatcher_bypass.conf file should not be edited manually.
2 Take_102 or higher of sk106162 - Jumbo Hotfix Accumulator for R77.30 is installed on Security Gateway
  1. Connect to command line on Security Gateway.

  2. Log in to Expert mode.

  3. Add the Proxy port to dynamic dispatching bypass list on-the-fly (does not survive reboot):

    [Expert@HostName:0]# fw ctl multik add_bypass_port <Proxy_Port_1>,<Proxy_Port_2>,...,<Proxy_Port_N>

  4. Check that the configuration was accepted by running these two commands:

    1. [Expert@HostName:0]# fw ctl get int dynamic_dispatcher_bypass_show_ports
    2. [Expert@HostName:0]# dmesg
  5. To make this configuration permanent:

    1. Create the $FWDIR/boot/modules/fwkern.conf file (if it does not already exit):

      [Expert@HostName:0]# touch $FWDIR/boot/modules/fwkern.conf

    2. Edit the $FWDIR/boot/modules/fwkern.conf file in Vi editor:

      [Expert@HostName:0]# vi $FWDIR/boot/modules/fwkern.conf

    3. Add the following lines (spaces are not allowed):

      dynamic_dispatcher_bypass_port_table=443,<Proxy_Port_1>,<Proxy_Port_2>,...,<Proxy_Port_N>

      dynamic_dispatcher_bypass_ports_number=Total_Number_of_Configured_Ports

      Notes:
      • Port 443 should not be removed from the list as long as HTTPS Inspection is enabled.
      • Port 443 is also counted.


    4. Save the changes and exit from Vi editor.

    5. Check the contents of the $FWDIR/boot/modules/fwkern.conf file:

      [Expert@HostName:0]# cat $FWDIR/boot/modules/fwkern.conf

    6. Reboot the Security Gateway.

    7. Verify that the new value was set by running these two commands:

      1. [Expert@HostName:0]# fw ctl get int dynamic_dispatcher_bypass_show_ports

      2. [Expert@HostName:0]# dmesg

Notes:

  • Port 443 should not be removed from the list as long as HTTPS Inspection is enabled.
  • Port 443 (which must be configured explicitly) is also counted in the value of parameter dynamic_dispatcher_bypass_ports_number.
  • To remove a proxy port from this configuration:
    1. Edit the $FWDIR/boot/modules/fwkern.conf file
    2. Remove the proxy port from the kernel parameter dynamic_dispatcher_bypass_port_table
    3. Decrease the value of kernel parameter dynamic_dispatcher_bypass_ports_number
    4. Save the changes
    5. Reboot the Security Gateway.
3 Take_101 or lower of sk106162 - Jumbo Hotfix Accumulator for R77.30 is installed on Security Gateway Install Take_102 or higher of sk106162 - Jumbo Hotfix Accumulator for R77.30.
4 Some other Hotfixes are installed on Security Gateway Contact Check Point Support to get a combined Hotfix that will contain the currently installed hotfixes and the hotfix for this issue.
A Support Engineer will make sure the Hotfix is compatible with your environment before providing the Hotfix.
For faster resolution and verification, please collect CPinfo files from the Security Management Server and Security Gateways involved in the case.
5 No Hotfixes are installed on Security Gateway Install:

Notes:

 

As an immediate workaround:

  • either disable the CoreXL Dynamic Dispatcher
  • or disable the HTTPS Inspection
Applies To:
  • 01886179
  • 01873994 , 01898591, 01956912

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment