topic Re: HTTPS Inspection in Firewall and Security Management

HTTPS Inspection

Jon_Crotteau — Sat, 21 Aug 2021 12:12:44 GMT

When having an HTTPS inspection rule and the Check Point firewall re-encrypts the connection to the destination, is there a version that can support re-encrypting as TLS1.1 for some destinations and TLS1.2 for others, etc.? Or, is every Check Point firewall version going to do the same TLS version for all re-encrypted connections on to all destinations?

Re: HTTPS Inspection

PhoneBoy — Sat, 21 Aug 2021 16:20:04 GMT

It should mimic what the client does.
Note if you configure a minimum version (global setting), that version will be enforced by HTTPS Inspection.

Re: HTTPS Inspection

Jon_Crotteau — Sat, 21 Aug 2021 20:10:31 GMT

Are you saying that if globally I have it at TLS1.1 and the client initiates at TLS1.2 that the gateway will use TLS1.2 to the server no matter what gateway version I have (lets just say anything R77 and up).

Re: HTTPS Inspection

PhoneBoy — Sun, 22 Aug 2021 02:00:00 GMT

Assuming the gateway version supports the relevant ciphers and TLS version, yes, that's my understanding.
That said, if you're doing HTTPS Inspection, it is highly recommended you are on the most current release in order to leverage the latest ciphers.