How to Enable (Inbound/Outbound) HTTPS inspection on AWS Auto Scaling / Azure VMSS / GCP MIG

Shay_Levin — Wed, 13 Jul 2022 12:14:48 GMT

If you want to enable SSL inspection on exiting scale set or to a new scale set, you might need to make an additional configuration step.

Once you enable https inspection on the CME template you will get a message that HTTPs need to be configured in SmartConsole.

So, this is only true if you want to inspect outgoing traffic and you have not create an outbound certificate on the management before.

The reason for that is that you have to create an outgoing certificate first on the Check Point management in order to inspect outgoing traffic.

So if you have already created outbound certificate on one of the managed gateways on a management that is going to manage the scale set , you won’t need to do anything , the SSL inspection would work on the Scale Set as well.

And it’s doesn’t important on which managed gateway you create the certificate in the past, it’s also doesn’t matter if the gateway still exist on the management. As long has you did it once in the past , your Scale set will use the same certificate that exist on the management.

So, on the example above I have set https on the CME template for a new Scale Set deployment and the Check Point management is completely new.

If you will check the HTTPS configuration on one of the ScaleSet gateways

You will notice that https is enabled.

For inbound ssl inspection it’s good enough but for outbound inspection you will need to create the outbound certificate.

Once you create the outbound certificate once,

All the existing Scale Set gateways and any new Scale Set gateways will use the same outbound certificate.

So just, remember that you need to do this procedure only one time and you are set.

You will need of course to make additional configuration describe bellow, but it’s not unique for scale set, those are general https inspection configuration steps.

For outbound inspection, you will need of course also to deploy the outbound certificate to the instances that are going to be inspected and set the SSL inspection policy.

For inbound inspection, you will need to import the private key of the site you want to protected to the Check Point management and create an SSL inspection Policy.

For more information about HTTPS Inspection read sk108202 - Best Practices - HTTPS Inspection here

Re: How to Enable (Inbound/Outbound) HTTPS inspection on AWS Auto Scaling / Azure VMSS / GCP MIG

Naguinix — Thu, 13 Feb 2025 03:00:25 GMT

Greetings from Colombia Shay,

We are presenting a problem with a client in azure and vmss, when we scale new firewall the ssl inbound inspection stops working and also we stop seeing inspection logs, I wonder if it is necessary to do some extra configuration when doing https inspection inbound with vmss.

Re: How to Enable (Inbound/Outbound) HTTPS inspection on AWS Auto Scaling / Azure VMSS / GCP MIG

Nir_Shamir — Thu, 13 Feb 2025 05:54:36 GMT

Hi,

if you enable HTTPSi from CME and you already have the certificate and policies then it should work, no other configuration is needed.

Just wait for the instance to be created and policy installed.

topic Re: How to Enable (Inbound/Outbound) HTTPS inspection on AWS Auto Scaling / Azure VMSS / GCP MIG in Cloud Firewall

How to Enable (Inbound/Outbound) HTTPS inspection on AWS Auto Scaling / Azure VMSS / GCP MIG

Re: How to Enable (Inbound/Outbound) HTTPS inspection on AWS Auto Scaling / Azure VMSS / GCP MIG

Re: How to Enable (Inbound/Outbound) HTTPS inspection on AWS Auto Scaling / Azure VMSS / GCP MIG