topic Re: HTTPS Inspection issue in Firewall and Security Management

HTTPS Inspection issue

rmasprey — Thu, 08 Sep 2022 08:47:08 GMT

Hi All,

I have opened a case with checkpoint on Friday last week, still haven't got the issue resolved, so maybe somebody here can give me some ideas of where to look.

The client has a 3100 Appliance with Checkpoint management server and HTTPS inspection enabled. Management Server and Device both running version R81.10 and up to date.

Users have been experiencing issues logging into Teams, and in my testing I have had issues connecting to certain websites like office.com and even checkpoint.com. The https inspection certificate is deployed via GPO and it is installed on under Trusted Root Certificate Authority.

Testing with Chrome I get an error your connection is not private. You cannot visit www.checkpoint.com right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later.

I updated the Trusted Ca list and added the Https Inspection Certificate to the list under SmartDashboard and installed policy but that has not helped.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk106996&partition=Basic&product=HTTPS

I have resorted to bypassing all traffic in the HTTPS Inspection policy which is not ideal and then I can connect to checkpoint.com or office.com without any issues.

Re: HTTPS Inspection issue

G_W_Albrecht — Thu, 08 Sep 2022 10:45:33 GMT

This is a StandAlone SMS / GW with https inspection enabled ? This is HW from 2016, so it might well be that R81.10 SMS & GW & https inspection is too much work - have a look in cpview to see the load history !

Re: HTTPS Inspection issue

rmasprey — Fri, 09 Sep 2022 11:19:57 GMT

Thank you for your reply. Yes it is StandAlone SMS / GW with HTTPS inspection enabled. Cpview looked okay from what I could tell.

Browsing office.com as my testing I noticed the bellow observations, the left image is with HTTPS inspection, the right is without.

The custom HTTPS bypass rule does not appear to be working, I have added portal.office.com and office.com and it still inspects them. The financial services rule is working in that I could connect to banking sites with no issue.

I tried a local news website, and it connects fine, the certificate shows issued by and the name of the HTTPS inspection certificate "client.com"

I observe the following log in the Man Server:

I have had a look at sk159872, which doesn't seem to give me any help, I updated the Trusted CA list on the smartdashboard with Checkpoint support yesterday. I have added the https inspection certificate to this list and it has not helped. I have observed a fair number of Microsoft URL's failing with Untrusted Certificate.

I am waiting for more feedback from Checkpoint as to what to check next.

Re: HTTPS Inspection issue

the_rock — Fri, 09 Sep 2022 12:14:49 GMT

I worked with customer who had very similar issue and it turned out to be certificate related, will have to see what exactly. Question...does same problem happen in EVERY browser, or just chrome?

Re: HTTPS Inspection issue

rmasprey — Fri, 09 Sep 2022 14:02:23 GMT

I have tried it in edge and does a similar thing, the certificate has been in use since 2019. Issued to is the "domain.com" of the client. I wander if the name is causing issues, if I recall it was generated on the firewall when we setup HTTPS inspection.

In edge I get the following warning but can choose to to still visit the site.

I upgraded the firewall to R81.10 on the 18 August, and 2 weeks later (2 September) I was notified of issues with staff connecting to teams. If it broke with the upgrade to R81.10 I would have expected to be notified much earlier as they have weekly Teams meetings.

Re: HTTPS Inspection issue

rmasprey — Fri, 09 Sep 2022 14:23:07 GMT

Firefox showed the following information first on office.com

When I go to a local news site I saw this warning checking the certificate and shows the verified by certificate name.

The certificate issued is self issued from the firewall and was added by the administrator via GPO. I understand the basic concepts of how HTTPS inspection works, but I can't figure out which part of the process is failing causing the your connection is not secure warning.

Could certain websites like office.com or checkpoint.com have extra security and warning the browser it is not getting a known certificate so this connection is insecure. The local news website doesn't have these added security features which is why it connects to the site and gives the warning as above when viewing the certificate details.

Re: HTTPS Inspection issue

the_rock — Fri, 09 Sep 2022 14:27:36 GMT

I saw with my customer it was the issue where SAN (subject alternative name) was missing in the cert, but may had not been exact same problem like what you are having. Question...when you compare the cert you see for one that works and one that does not, what is the difference?

Re: HTTPS Inspection issue

Wolfgang — Fri, 09 Sep 2022 19:27:26 GMT

@rmasprey you wrote certificate from the firewall is self signed…

Does this mean you are using CheckPoints firewall management internal CA for HTTPS inspection?

If yes, you have to deploy this root CA certificate to your clients. If you have a look at the trusted chain on the client you should see the newly created certificate for the inspected website and all CAs up to the root CA.

Re: HTTPS Inspection issue

rmasprey — Mon, 12 Sep 2022 03:58:03 GMT

Thank you for the reply @Wolfgang, yes it is a self signed certificate from the firewall and it is deployed to the workstations via a group policy. This has been working up until recently.

Re: HTTPS Inspection issue

rmasprey — Mon, 12 Sep 2022 04:04:24 GMT

@the_rockthank you for coming back to me. I will have a look at the certificates in more detail. Its weird that I can connect to some sites and the browser shows me the https certificate and it works but refuses to connect to Microsoft or Checkpoint websites.

Maybe I need to create a new certificate on the firewall and see if that solves the issue.

Re: HTTPS Inspection issue

the_rock — Mon, 12 Sep 2022 11:38:36 GMT

I get what @Wolfgang is saying, but I find it odd that it worked fine for some time and then stopped all of a sudden. I have a really nice lab with https inspection that it works using self signed cert from the firewall if you wish to have a look, happy to show you. I have windows 10 PC behind the fw and we can test any site you have issue with.

Let me know.

Andy

Re: HTTPS Inspection issue

rmasprey — Tue, 13 Sep 2022 11:20:16 GMT

Hi Andy,

Thank you for your reply. I would be interested to see what the certificate info is in your lab with https inspection if you visit https://www.checkpoint.com/

When I go to checkpoint using Edge I get the bellow on the certificate info. The issued by part is what is causing my issues I suspect. On other websites that work it shows the name of the certificate the firewall created.

How it looks on my machine bypassing HTTPS inspection as I am not domain joined.

Today I resorted to adding all the users who need to use Teams meetings to a bypass group we have as temporary fix.

Re: HTTPS Inspection issue

the_rock — Tue, 13 Sep 2022 12:43:54 GMT

I get exact same message for cert as your 2nd screenshot, but thats most likely because I am NOT inspecting the website, otherwise, if I were, I would get firewall cert.

Andy

Re: HTTPS Inspection issue

rmasprey — Wed, 14 Sep 2022 12:07:22 GMT

Thank you for this Andy. I have a HTTPS Custom Bypass list under No SSL inspection, which includes Health and Financial Services category. The groups appear to work as I can reach bank sites, the custom list is not working 100%. I added https://www.checkpoint.com/ but still can't get to the site with out a warning. Going to do some troubleshooting with this area.

Re: HTTPS Inspection issue

the_rock — Wed, 14 Sep 2022 12:23:55 GMT

Lets do remote, I would need to see why that happens.

Re: HTTPS Inspection issue

rmasprey — Mon, 19 Sep 2022 13:09:40 GMT

Thank you for the reply Andy. Checkpoint had booked a support call for today and they resolved the issue.

Re: HTTPS Inspection issue

the_rock — Mon, 19 Sep 2022 13:13:48 GMT

What was the solution if you dont mind sharing? We always like to share the positive outcome, so it helps everyone else.

Andy

Re: HTTPS Inspection issue

rmasprey — Mon, 19 Sep 2022 13:16:28 GMT

Thank you to everybody who took the time to respond to the issue I was experiencing. I did a remote session with checkpoint, the issue was resolved adding two Certificate Authorities that where missing to the Https Inspection Trusted CA.

ISRG Root X1

DigiCert Global Root G2

Once these where added I was able to connect to the office.com and checkpoint site without any issues.

Re: HTTPS Inspection issue

the_rock — Mon, 19 Sep 2022 13:18:48 GMT

Ah, makes sense. We had case with escalation about this in the past and were give some sort of script from R&D, but then were told not to run it as it could cause more issues, so client just added them manually. Glad it worked out!

Re: HTTPS Inspection issue

casgrain — Fri, 24 Feb 2023 20:37:00 GMT

How did you add those CAs to the list?