George Liu

HTTPS Inspection - ettoday

Blog Post created by George Liu on May 3, 2018

Symption:

1. HTTPS Inspection enable.

2. The page cannot display.

 

Solution:

1. Install Jumbo hotfix > 221

2. Turn on function

  • To prefer / propose ECDSA cipher suites:
    • [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDSA 1
    • [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDSA 1
  • To prefer / propose ECDHE cipher suites
    • [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_ACCEPT_ECDHE 1
    • [Expert@HostName]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_PROPOSE_ECDHE 1
  • Enable the support for P384 curve on Security Gateway / each cluster member:

    [Expert@HostName:0]# ckp_regedit -a SOFTWARE//CheckPoint//FW1 CPTLS_EC_P384 1

3. cpstop; cpstart on Gateway / Cluster.

 

 

Reference:

Specific HTTPS sites that use ECDHE ciphers are not accessible when HTTPS Inspection is enabled
Solution IDsk110883

 

Some HTTPS sites do not load when HTTPS Inspection is enabled, if TLS 1.2 with ECDHE cipher is used
Solution IDsk112954

Outcomes