Firepower SSL Decryption

The Firepower SSL Decryption feature allows you to block encrypted traffic without inspection or inspect encrypted that would otherwise be unable to be inspected. In order for the FTD to decrypt the traffic the FTD must resign all certificates of websites, this is achieved by a Man in the Middle (MITM) attack. An internal CA must be used to issue a certificate using the Subordinate Certificate Authority template; Firepower will then dynamically create a certificate on the fly (spoofing the real certificate) thus allowing for decryption and inspection of the website. The client computer must trust the Internal CA so as not to receive any certificate errors.

In this scenario an FTD v6.2.2 is acting as the gateway that will decrypt the traffic, all configuration will be made on the FMC v6.2.2.

Continue reading “Firepower SSL Decryption”

Cisco ASA Botnet Filtering

In a botnet attack computers can become infected with malware, the infected hosts will attempt to contact the botnet command and control servers. When configured the Botnet filter on the Cisco ASA firewall can be leveraged to check incoming and outgoing connections against a dynamic SensorBase database (downloaded from cisco) which contains information of known bad domain names and IP addresses, and then logs/blocks any suspicious activity. In addition to the dynamic database you can define a static blacklist of domain names/IP addresses. You can make use of a whitelist to allow blacklisted addresses defined in the dynamic database downloaded from Cisco.

The ASA monitors DNS queries for known bad domain names/IP addresses; this information is added to the DNS reverse lookup cache. When a connection is made the ASA will compare DNS replies against the database, if it matches a known bad domain name/IP address the connection is dropped and a syslog message is generated.

Continue reading “Cisco ASA Botnet Filtering”

Configuring Check Point Application Control

Check Point Application Control software blade allows firewall administrators to identify traffic and allow/block based on type of application, time and bandwidth etc. When used with the Identity Awareness software blade users and groups access to sites can be controlled by the security policy. In this post I am using Check Point R75.46 running Gaia on an open server and will run through the basics of setting up Application Control to block Social Network sites and allow all other traffic.

Configuring Application Control

Login to the SmartDashboard

Click on the firewall object and enable “Application Control” by ticking the box. Click OK

Continue reading “Configuring Check Point Application Control”

Configuring CheckPoint Mobile Access Blade

The CheckPoint Mobile Access software blade is an SSL-VPN which allows a user’s PC, Smartphone or tablet connectivity to the corporate network. Most new CheckPoint appliances (2200, 4000 series etc) are licensed with the Mobile Access blade as standard. This post provides information on getting started and configuring the basics.

Configuring Mobile Access

Open SmartDashboard and create a new firewall rule permitting inbound HTTPS to the firewall. NOTE – This rules needs to be above the Stealth rule, otherwise the traffic will be dropped

Modify the properties of the firewall object and select “Mobile Access”

The “Mobile Access Configuration” wizard should automatically appear

Continue reading “Configuring CheckPoint Mobile Access Blade”

Configuring CheckPoint Identity Awareness

Identity Awareness allows you to enforce access based on user and computer identity. It integrates with both Active Directory and non Active Directory networks and will authenticate employees and guests. When integrated with Active Directory the connection is clientless and authentication is transparent to the user.

There are five “identity sources” which Identity Awareness can use to acquire identities:-

  • AD Query
  • Browser-Based Authentication
  • Endpoint Identity Agent
  • Terminal Servers Identity Agent
  • Remote Access

This post describes the basics of how to configure Identity Awareness, integrate with Active Directory (AD Query method) and configure a rule to require authentication for accessing the internet.

Configuring Identity Awareness

Open the properties of the CheckPoint gateway

Tick the “Identity Awareness” software blade

Select the correct gateway that will be used to identify users

Select the “AD Query” method for acquiring identity

Continue reading “Configuring CheckPoint Identity Awareness”

Basic configuration of CheckPoint R75.40 Gaia

The information provided in this post describes the basic configuration of CheckPoint R75.40 Gaia. The software was installed in a VMware rather than a CheckPoint appliance. The ISO image file “Check_Point_R75.40_Gaia.iso” was download the CheckPoint usercenter.


  • Connect to the appliance/VM/server and boot from CD/ISO image
  • Click Ok to proceed with the installation
  • Select the appropriate “Keyboard” language
  • Modify or accept the default “Partitions Configuration”
  • Enter a strong password
  • Select the desired “Management Port”
  • Configure the IP address and default gateway for the “Management Interface”
  • Click Ok to proceed with the installation
  • When prompted reboot the appliance


  • In order to complete the configuration you need to open a web browser and connect to the web gui using the IP address previously specified
  • Enter the username “admin” and the password you previously specified

Continue reading “Basic configuration of CheckPoint R75.40 Gaia”