version 81.20

Now I have installed the latest updates and done this:

but still getting the same tls warning!

You see this on EVERY site or just some?

Andy

it is not working for example:

microsoft.com

cisco.com

as what i could notice!

I am getting this error:

NET::ERR_CERT_AUTHORITY_INVALID

You see that on every browser?

Google chrome and Edge

Can you send screenshot of https inspection policy?

Andy

Did it ever work or its brand new issue?

Andy

this is the first time I am testing HTTPS inspection, maybe I need to add some certificate under Trusted CAs, but which one, I have tested many but stil have same problem

You dont, they are all auto updated. I attached doc with how I have it configured, so maybe you can see if something is "missing". I will also make separate post about it.

Andy

If your setup is bugged like mine (R81.10 JHF 141), the automatic install does not work, and you have to manually add the certificates from the list. Just click on all of them or the ones you need, then publish install.

I am running this version:

Product version Check Point Gaia R81.20
OS build 631

So I don't know if it is bugged or not!

Did you have a similar problem where many websites work but some don't?

Which certificates did you add?'

I have R81.20 jumbo 54 in the lab, all works well. Did you check file I uploaded?

Andy

If you click the "add" button and stuff is in the list, it is bugged, as the list should be empty. Yes, I was having the same exact issue you were having. I also noticed it because of Check Point and Cisco websites. Honestly, you should add all of them in the list, but if you only want to add a few I had to do the following: go to the website on a computer not being HTTPS inspected, view the certificate, that will supply you with who the Root CA is for the site, and then add that.

If you open a TAC case, they can supply you with a script that will add all of them in the list if you don't want to manually do it.

I think they all get updated automatically, specially in R81.20

Y

You're correct @CaseyB . The list on my production firewall is full, whereas the list on my lab firewall is empty.

I suspect the issue stems from the fact that my production firewall was upgraded from older versions, while my lab firewall is a new 81.20 machine!

What do you think @the_rock !

Let me check it in my lab shortly and will update.

Andy

Bro, message me tomorrow, you got my gmail, lets do remote. IM available any time up until 4 pm GMT or between 5-8 GMT. Im in EST, which is GMT-4

Best,

Andy

I am not allowed to do remote because this the production environment.

But now I have succeeded adding "Digicert Global Root G2" manually which resulted to connect correctly to microsoft.com

I have used the way @CaseyB decribed above!

Can you confirm this is what you are referring to?

Andy

Alsdo, can you check below?

I also attached  updated zip file for certificates list update if you wish to try it, but just a small disclaimer, it is from my lab, though fully working https inspection one.

[Expert@CP-management:0]# pwd
/opt/CPshrd-R81.20/database/downloads/TRUSTED_CA/2.0/3.4
[Expert@CP-management:0]# ls
last_revision_DC.xml updateFile.zip
[Expert@CP-management:0]#

Date shows November 30th, 2023, 1.30 pm EST

so, this is the production environment:

As you can see when I click "Add" you see the list is full with trusted certificates that you need to add to get a functionality.

but here in a lab environment:

the "Add" list is empty which means that all certificates are already taken!

If you can update in the production, I would. I gave that file to lots of people before, never an issue.

Andy

Btw, for what this info is worth, I kept upgrading my lab ever since R80.20 to R81.20, and even though ssl inspection was enabled since the beginning, I NEVER had this issue with the certs

I did, mind you, always keep up with latest jumbo hotfixes.

Andy