topic Re: Multiple Gateways with different outbound certificate for https inspection in Firewall and Security Management

Multiple Gateways with different outbound certificate for https inspection

Michael_Kovac — Mon, 26 Aug 2019 16:27:08 GMT

Hey!

One of our customers has multiple clusters for his branch offices. In every branch, he want to use Application Control, URL Filtering and https inspection. His idea is to generate for every cluster it´s own https inspection outbound certificate. Is it possible to realize it?

Cheers

Michael

Re: Multiple Gateways with different outbound certificate for https inspection

G_W_Albrecht — Tue, 27 Aug 2019 09:27:23 GMT

According to sk65123: HTTPSInspectionFAQ yes.

Re: Multiple Gateways with different outbound certificate for https inspection

Michael_Kovac — Tue, 27 Aug 2019 09:42:53 GMT

ok. I can not find the solution.... where is it described?

Which software blades support HTTPS Inspection?
Which operating systems support HTTPS Inspection?
Does HTTPS Inspection require a license? Is it a software blade?
Are there legal implications to enabling HTTPS Inspection in my organization?
Has Check Point cracked HTTPS? Could an attacker do this?
Why do I get certificate warnings in the browser after turning on HTTPS Inspection?
How can I make PCs trust the gateway's CA certificate?
Does HTTPS Inspection use the Security Management server's Internal CA to issue certificates?
Is there a performance impact when enabling HTTPS Inspection on the gateway?
Why are Extended Validation (EV) certificates displayed as regular certificates in the browser?
How are the CAs in the list of Trusted CAs chosen? Is the list updated?
Does HTTPS Inspection check for CRLs? What about OCSP?
Does HTTPS Inspection work on protocols other than HTTPs?
Can I replace the gateway's CA with a different CA?
Is it possible to perform selective inspection - just on specific sites, categories or users?
Why do I sometimes get the gateway CA even for sites that are not configured to be decrypted?
What information from the encrypted traffic is logged?
I read in the news that someone conned the "xyz" CA to give them certificates for the "abc" web site. What should I do?
Which SSL/TLS versions are supported by HTTPS Inspection?
Why isn't SSLv2 supported?
Which ciphers are supported by SSL inspection?
On which platforms/appliances is HTTPS Inspection supported?
Does HTTPS Inspection support 3rd party wildcard certificates (like *.mycompany.com)?
Why after enabling HTTPS Inspection some resources that use HTTPS protocol fail to connect?
Is Client Certificate authentication supported by HTTPS Inspection?

Re: Multiple Gateways with different outbound certificate for https inspection

G_W_Albrecht — Tue, 27 Aug 2019 09:57:13 GMT

8+14.

as well as

Threat Prevention Administration Guide R80.30 p.147f

Re: Multiple Gateways with different outbound certificate for https inspection

_Val_ — Wed, 28 Sep 2022 10:00:47 GMT

If the question is: "Can I use different outbound certificates" for multiple security GWs under the same management, the answer is no. You can use one CA certificate per Security domain for the outbound TLS inspection. All GWs managed by the same SMS will share it.

If you want to use different certs, you need those GWs to be managed by different security domains. This is possible either with multiple SMSs or with MDM solution.

Re: Multiple Gateways with different outbound certificate for https inspection

_Val_ — Wed, 28 Sep 2022 10:01:14 GMT

Actually, no. See my reply