topic Connection Flow. in Firewall and Security Management

Connection Flow.

Matlu — Tue, 16 Jan 2024 21:50:18 GMT

Hello,

I have a question.
I have a FW in version R81.10 with JHF Take 110.

In my LAN I have a Mail Server (On Premise) published to the Internet.

The Server Certificate has been updated.

When the users from the LAN try to access the Mail Server, everything flows fine (they don't get the alert in the browser that "The connection is not secure".

On the other hand, when we try to access from the Internet to the mail server, pointing to the domain, the result is that "THE CONNECTION IS NOT SECURE".

In this kind of scenarios, it is necessary and mandatory, to "import" the certificate in the Firewall, from the SmartDashboard Legacy, referring to the HTTPS Inspection?

Greetings.

Re: Connection Flow.

Lesley — Tue, 16 Jan 2024 22:09:50 GMT

Sounds like public dns record issue. Do nslookup of the domain the output should match the public ip that you use on the firewall for this server. If dns record ip does not match you get warning

Re: Connection Flow.

Matlu — Tue, 16 Jan 2024 22:24:45 GMT

Hello,

In my case, it does match.

When from the Internet, I do a NSLOOKUP to the domain, if I resolve the Public IP that has been designated in the Firewall, for the connection to the mail server.

Is it necessary to import the certificate of the mail server, to the Firewall, to avoid these "alerts" from the Internet connections?

Greetings.

Re: Connection Flow.

the_rock — Wed, 17 Jan 2024 01:09:48 GMT

Ola bro,

Happy New Year : - )

I dont think importing that cert has anything to do with it, that simply related to inbound https inspection.

What @Lesley said makes sense to me as well.

Andy

Re: Connection Flow.

the_rock — Wed, 17 Jan 2024 02:23:12 GMT

Hey bro, cert is only needed if you are doing INBOUND https inspection, otherwise, no need to import it into smart console. Same as if you were doing outbound ssl inspection, cert has to be uploaded to users, so those warnings dont show up.

Andy

Re: Connection Flow.

Matlu — Wed, 17 Jan 2024 02:34:09 GMT

Buddy,

This type of scenario is when the FIREWALL acts as a "WAF", isn't it?

Most of my client's rules only had rules based on "OUTBOUND" traffic

They have HTTPS Inspection enabled, but only for LAN -> WAN traffic, not the other way around.

The problem that I get in the browser, the message "The connection is not secure" from the Internet, when I try to access the published mail server, it would be an issue to check with the DNS provider of the client, right?

Cheers. 🙂

Re: Connection Flow.

the_rock — Wed, 17 Jan 2024 03:06:26 GMT

I got ya. You can try that, wont make it worse, see if it makes any difference.

Andy

Re: Connection Flow.

Matlu — Wed, 17 Jan 2024 12:22:29 GMT

I have done some research.

Apparently it's a "registration" problem at the "DNS service" level.

I understand that to prevent Internet users from getting the certificate error "The connection is not secure", you have to publish the domain in a MX record of my DNS service ... at least something like that is what I have understood.

Does this make sense?

Re: Connection Flow.

the_rock — Wed, 17 Jan 2024 12:27:03 GMT

100% makes sense