topic Re: Checkpoint URLF Block Page Certificate in Firewall and Security Management

Checkpoint URLF Block Page Certificate

superd — Thu, 05 May 2022 18:37:32 GMT

Hi,

I have enabled Checkpoint URLF with HTTPS Inspection enabled. All is working fine, except I am getting cert trust issues with the block page. (R80.40)

Can anyone advise how I export this block page cert so I can trust it in users browsers? Or if there is some other guidance?

Also, is enabling UserCheck required in order to serve the block page, or is that something different? I have that enabled.

Thanks.

Re: Checkpoint URLF Block Page Certificate

Wolfgang — Thu, 05 May 2022 19:57:36 GMT

You can import a certificate enrolled from your internal CA to the usercheck page of the gateway properties. Your clients should trust these CA. If you‘re using the default certificate, your clients have to trust your internal Check Point CA of the managementserver. You can export the public certificate from the managementserver.

Re: Checkpoint URLF Block Page Certificate

Sorin_Gogean — Fri, 06 May 2022 05:24:44 GMT

In addition to what Wolfgang state .... from my notes

We require an SSL certificate on the GW's as the page presented with the BLOCK message, is HTTPS and is using the Platform Portal (as it seems) .

They say to follow :https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk97648

But it’s better to follow :https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk69660

(as I've use it previously )

Re: Checkpoint URLF Block Page Certificate

superd — Fri, 06 May 2022 08:01:23 GMT

Thanks Wolfgang, is there a simple way to export this certificate from the SMS GUI?

Re: Checkpoint URLF Block Page Certificate

superd — Fri, 06 May 2022 08:02:19 GMT

Cheers Sorin, seems a bit confaluted. Id like to just extract whatever cert is being currently served for block page.

Re: Checkpoint URLF Block Page Certificate

superd — Fri, 06 May 2022 08:07:47 GMT

Could I extrapolate from the below message that one must use a self signed cert to avoid errors i.e. the auto-generated cert is not extractable?

Re: Checkpoint URLF Block Page Certificate

Sorin_Gogean — Fri, 06 May 2022 09:24:47 GMT

Now I got it, your certificate error is shown to the end-user when he is redirected to the Block page - that is served by the GW Custer .

You can generate a certificate (signed by the same CA that you used to delegate HTTPS Inspection) and import it into the UserCheck .

Re: Checkpoint URLF Block Page Certificate

superd — Fri, 06 May 2022 09:54:19 GMT

Yes Sorin, serving of blockpage shows connection error, or client not trusting the cert.

So, for clarification, I must generate a self signed cert to avoid errors? Is there definitely no way to export whatever cert Checkpoint is providing by default? - I find this surprising.

Re: Checkpoint URLF Block Page Certificate

Sorin_Gogean — Fri, 06 May 2022 11:11:36 GMT

For sure you can export it, is the same you get when accessing the UserCheck portal It's not an on-the-fly generated one.

After that you will need to et it on all the clients in trusted certs, therefore my recommendation is to look for a centralized CA/certificate solution, then you just need to trust the Root CA and all the rest will follow.