topic Re: HTTPS INSPECTION SHA1 to SHA256 in Firewall and Security Management

HTTPS INSPECTION SHA1 to SHA256

sajin — Sun, 17 Nov 2019 18:35:00 GMT

Found the Checkpoint HTTPS INSPECTION cert is SHA1 and as it is outdated should move forward to SHA256. Followed the sk115894 but when accessing, the browser is not trusting the certificate. Kindly help on resolving this issue.

Re: HTTPS INSPECTION SHA1 to SHA256

PhoneBoy — Sun, 17 Nov 2019 22:00:44 GMT

You can replace the certificate, you know?
What software release?

Re: HTTPS INSPECTION SHA1 to SHA256

sajin — Mon, 18 Nov 2019 04:02:29 GMT

Its R80.30 with Take 76.

Can you please brief to replace the existing certificate SHA1 and its in production now.

Re: HTTPS INSPECTION SHA1 to SHA256

PhoneBoy — Mon, 18 Nov 2019 16:42:13 GMT

See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk115894

Re: HTTPS INSPECTION SHA1 to SHA256

mdjmcnally — Mon, 18 Nov 2019 18:40:27 GMT

Wandering if Stage 6 has been done which requires to install the new SHA-256 Cert into the Trusted Root CA Folder on the Windows machines.

If reading write then have updated the Cert but the Machines not trusting the Certificates from the New Certificate which points to the new Cert not being Trusted.

Re: HTTPS INSPECTION SHA1 to SHA256

sajin — Tue, 19 Nov 2019 17:03:00 GMT

The certificate .crt is already added in the Trusted Root Certificate.

Re: HTTPS INSPECTION SHA1 to SHA256

mdjmcnally — Tue, 19 Nov 2019 17:31:01 GMT

If the new SHA-256 Cert is in the Trusted CA Root Folder then you will need to investigate on the Client Machines why they are not trusting the new Root CA even though added as a Trusted CA Root Certificate.

Re: HTTPS INSPECTION SHA1 to SHA256

sajin — Tue, 19 Nov 2019 18:08:32 GMT

Created a different lab and tested and am getting the same error message. I think some configuration of installing the certificate is missing in the Dashboard.

Re: HTTPS INSPECTION SHA1 to SHA256

mdjmcnally — Tue, 19 Nov 2019 18:44:06 GMT

You are going to have to list out exactly step by step what done then as the SK seems to contain what to do when reading through,

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108641&partition=Advanced&product=HTTPS

Shows a little more about having once opened an R80.x SmartDashboard for the HTTPS Inspection Policy but is once in there the same as on R77.x in the SK,

I would think that Check Point take it that you need to install the Policy afterwards for it to take affect as a given as is hammered into everyone that make a change and need to install Policy afterwards.

If haven't finished importing the SHA-256 Cert then would still be using the SHA-1 which presumbably you had working fine so wouldn't get any errors still.

So How have you exported the certificate and then distributed the Client Machines as if the Client PC not trusting the Certs then it looks as though either not in the Trusted Root CA store on the machine or hasn't imported to the machine properly for which looking more at the PC rather then Check Point.

Re: HTTPS INSPECTION SHA1 to SHA256

sajin — Thu, 28 Nov 2019 13:52:32 GMT

After enabling PBR, HTTPS INSPECTION is not working to the interface where PBR is enabled. Is there any limitation in HTTPS INSPECTION with PBR. Able to get the certificate and page takes too much time to load and much often doesn't load. External Interface without PBR works fine perfectly.

I could see traffic flowing through both External Interface when HTTPS INSPECTION is enabled.

Re: HTTPS INSPECTION SHA1 to SHA256

mdjmcnally — Thu, 28 Nov 2019 14:07:27 GMT

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk100500&partition=General&product=Security#Limitations

The following features/blades are not supported with PBR:

IPv6
URL Filtering
IPS
Locally-generated traffic
Security Servers
Data Loss Prevention (DLP) blade
VPN Domain Based
VPN Route Based
Anti-Spam blade
Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
ISP Redundancy
The following applications (which use Check Point Active Streaming [CPAS]):
- VoIP (H323, SIP, Skinny, etc.)
- HTTPS Inspection
- HTTP Header Spoofing
- HTTP Proxy
- IMAP in IPS

HTTPS Inspection listed there. Cannot do HTTPS Inspection with PBR. Pretty much all you can run on a Check Point with PBR enabled is the Firewall Blade.

Re: HTTPS INSPECTION SHA1 to SHA256

sajin — Thu, 28 Nov 2019 14:50:58 GMT

Thank You so much for your reply.

I have seen this SK before but some of our customers are using HTTPS INSPECTION with PBR successfully in the same version.

Even IPS and URLF was working fine over there. I could see PBR traffic with IPS Events in logs.

We had created a test Lab and tested, and the test was a success.

What i had noticed in production environment is "PBR NAT IP is again coming as a source in next External interface with the same destination IP".

Is there anyway we can avoid the above situation mentioned in double quotes.

Re: HTTPS INSPECTION SHA1 to SHA256

sajin — Thu, 28 Nov 2019 14:57:29 GMT

Hi,

Can you please conform sk100500 is relevant or not, as PBR works with HTTPS INPECTION for some environment and creating issues on others. Is the SK relevant.

Re: HTTPS INSPECTION SHA1 to SHA256

mdjmcnally — Thu, 28 Nov 2019 15:03:19 GMT

Yes the SK article is VERY relevant as quite clearly says is NOT SUPPORTED. That is not to be confused with DOES NOT WORK.

So you are running in an unsupported configuration when running HTTPS Inspection and configuring PBR.