topic Re: HTTPS Inspection in R80.40 in Firewall and Security Management

HTTPS Inspection in R80.40

LostBoY — Fri, 11 Nov 2022 11:16:43 GMT

I am trying to setup https inspection in the environment where i have 3 separate domains and a zone which do not use any certificates like the proxy server.

I was wondering if its possible to upload 3 independent wildcard domain based certificates in Checkpoint and map them in the https rule base.. does GW allow multiple certificates to be uploaded ? or it has to be one certificate only ?

What are my options for a zone which does not use any certificates.

Any help is appreciated.

Thanks

Re: HTTPS Inspection in R80.40

G_W_Albrecht — Fri, 11 Nov 2022 11:48:23 GMT

sk65123 - HTTPS Inspection FAQ

sk108202: Best Practices - HTTPS Inspection

Re: HTTPS Inspection in R80.40

nooni — Fri, 11 Nov 2022 16:56:33 GMT

It is possible to use several wildcard certificates for inbound inspection, check for Additional Settings when you view HTTPS Inspection policy.

Not sure what you mean by a Zone without certificates but it is also possible to bypass traffic that should not be https inspected.

There are two options, bypass or inspect in https inspect rules. If you use inspect on a rule you must choose a certificate.

I saw GW Albrecht already sent links to documentation, please take a look at it. They are pretty clear and understandable.

Re: HTTPS Inspection in R80.40

the_rock — Fri, 11 Nov 2022 12:52:56 GMT

Here is the short answer...

For OUTBOUND https inspection -> No, ONLY one cert

For INBOUND -> Yes, you can have multiple

Andy

Re: HTTPS Inspection in R80.40

PhoneBoy — Fri, 11 Nov 2022 16:28:11 GMT

HTTPS Inspection generates certificates on the fly which are signed by a Certificate Authority (CA).
Wildcard certificates cannot be used as they are not CA keys.
Only a single Certificate Authority for outbound HTTPS Inspection is allowed per gateway/virtual system.

Re: HTTPS Inspection in R80.40

Sorin_Gogean — Fri, 11 Nov 2022 17:21:43 GMT

Hi,

For us to better understand your set-up, can you elaborate a bit more on "setup https inspection in the environment where we have 3 separate domains" - more on the last part of the phrase.

In our company where we implemented HTTPS Inspection, we have a Root CA (smth.int) that has 3 sub CA's like ( regionEU.smth.int, regionNA.smth.int and regionAP.smth.int) . But the delegated sub-CA we installed on the CheckPoint, was generated by the Root CA (smth.int) so all clients from the regions will trust it.

Hopefully it will clarify your question, but please come back with the asked details.

Ty,

Re: HTTPS Inspection in R80.40

LostBoY — Tue, 15 Nov 2022 09:21:11 GMT

Thanks for the reply..

we actually have 3 separate domains running in the environment which use their own independent certificate sets. I was wondering if i can upload multiple certificates in checkpoint referencing each domain such that i can map those certificates in separate https rules for inbound/outbound communication.

Re: HTTPS Inspection in R80.40

LostBoY — Tue, 15 Nov 2022 09:23:33 GMT

Thanks for the reply.. so outbound supports only one certificate which cannot be a wilcard ? are multiple certificates supported for inbound ?

i came across a link which suggested using wildcard certificates for https inspection.i am not sure about the use case though .i will try linking that article here

Re: HTTPS Inspection in R80.40

LostBoY — Tue, 15 Nov 2022 09:25:54 GMT

Thanks for the reply..there is a zone where servers aren't using any certificates..so my query was if i want to enable https inspection for those , do i need to use any default certificate or it cant be done and i need to use a bypass rule.

Re: HTTPS Inspection in R80.40

Sorin_Gogean — Wed, 16 Nov 2022 09:55:24 GMT

Like I (and others said), on Outbound inspection you can have a single certificate, so you could do an CA or sub-CA that would be trusted by all 3 of your domains members/clients and should be good.

For Inbound, if you intend to inspect traffic that is coming for WebServer Domain A and WebServer Domain B, you can have those individually - obviously 🙂 .

Enjoy,