topic Re: HTTPS Inspection and P-521 certificate in Firewall and Security Management

HTTPS Inspection and P-521 certificate

RoD — Wed, 22 Jan 2020 10:43:26 GMT

Hi,

I have question about site-to-site VPN with P-521 ECC encryption and HTTPS Inspection.

It it possible to have two certificate for HTTPS Inspection,

one RSA 2048 certificate for website and second P-521 ECC certificate for site-to-site VPN ?

Thanks

Re: HTTPS Inspection and P-521 certificate

Wolfgang — Wed, 22 Jan 2020 11:52:21 GMT

For HTTPS inspection you need a SUB-CA installed on your gateway not only a certificate.

These SUB-CA and the certificate for Site2Site VPN is configured and stored at different places. Following this you don't need to have one for both feature.

certificate for VPN:

SUB-CA for HTTPS-inspection:

Wolfgang

Re: HTTPS Inspection and P-521 certificate

RoD — Wed, 22 Jan 2020 12:11:48 GMT

Thank you for your post, sorry if I didn't ask the question well.

I understood it well RSA 2048 certificate and P-521 ECC certificate they are not compatible ?

HTTPS Inspection using for inspection website only RSA 2048 certificate or RSA 4096 certificate ?

My question is regarding HTTPS Inspection site-to-site VPN with preshared key and with P-521 ECC as encryption ?

Re: HTTPS Inspection and P-521 certificate

PhoneBoy — Wed, 22 Jan 2020 19:53:07 GMT

The certificates used for Site-to-Site VPN and HTTPS Inspection have absolutely nothing to do with each other.
They are completely independent of each other and configured in different places in the UI.

P-521 support is in R80.30.
Believe it is also in R80.20 with a recent Jumbo Hotfix.
If you are on an earlier release, you will need to upgrade.

Re: HTTPS Inspection and P-521 certificate

Wolfgang — Wed, 22 Jan 2020 20:09:20 GMT

I believe you should explain more detailed what do you want to do.

As I wrote and @PhoneBoy mentioned, HTTPS inspection and site2site VPN are different things and both are using different certificates.

RoD, more information about your need would be very helpful to give you the right answers.

Wolfgang

Re: HTTPS Inspection and P-521 certificate

RoD — Wed, 22 Jan 2020 20:45:35 GMT

Thank you Wolfgang and PhoneBoy for yours help. 😀

I have one laptops that have Site-to-Site VPN to one data center in Germany,
and this connection will go through 3100 or 3600 firewall.

My original plan was that 3100 firewall inspect this Site-to-Site VPN with HTTPS Inspection.

I think that is better that 3100 firewall create Site-to-Site VPN to this data center in Germany,

Re: HTTPS Inspection and P-521 certificate

Wolfgang — Wed, 22 Jan 2020 20:57:17 GMT

RoD,

I think you are mixing some of the technologies.

laptop with site2site VPN ? sounds like more then a remote access VPN.

You can‘t inspect an IPSEC-Tunnel with HTTPS inspection. But you can inspect the traffic coming through the tunnel on one of the endpoints of the tunnel. If these traffic will be HTTPS you can inspect with HTTPS inspection.

Wolfgang

Re: HTTPS Inspection and P-521 certificate

RoD — Wed, 22 Jan 2020 21:19:48 GMT

I forgot to add my laptop with my old hardware firewall,

I decided that all my site-to-site VPN go from new Check Point firewall

Thanks