topic Re: HTTPS inbound in Firewall and Security Management

HTTPS inbound

Moudar — Mon, 13 May 2024 11:35:52 GMT

Does HTTPS inbound inspection requires a certificate from a well-known and trusted Certificate Authorities (CAs) that issue SSL/TLS certificates like
DigiCert
Comodo
GlobalSign
GoDaddy

to be able to inspect inbound traffic without the TLS warning on browsers?

While outbound HTTPS inspection can be a valuable security tool, it has limitations when it comes to detecting malware on external websites. This inspection focuses on the traffic initiated by the client (your device) and cannot directly analyze the content of the response data sent back by the website.

Is the above text 100% right

Re: HTTPS inbound

Chris_Atkinson — Mon, 13 May 2024 12:57:57 GMT

Outbound inspection is for protecting LAN users accessing external websites on the Internet.

Inbound inspection is guarding against attacks targeting your web servers in the DMZ for example.

https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/HTTPS-Inspection.htm

Re: HTTPS inbound

Moudar — Mon, 13 May 2024 12:43:49 GMT

so if an internal client is opening a milicious website, outbound inspection will detect the answer from that server and block it?

Does HTTPS inbound inspection requires a certificate from a well-known and trusted Certificate Authorities (CAs) that issue SSL/TLS certificates like
DigiCert
Comodo
GlobalSign
GoDaddy

to be able to inspect inbound traffic without the TLS warning on browsers?

Re: HTTPS inbound

PhoneBoy — Mon, 13 May 2024 16:42:59 GMT

Depends on the site you are doing Inbound HTTPS Inspection on.
If that site should use a certificate that has been signed by a publicly trusted CA, so should the certificate you use in the Inbound HTTPS Inspection configuration.
Generally, the same cert is used for both.

Re: HTTPS inbound

the_rock — Mon, 13 May 2024 17:04:42 GMT

I have real good doc for this, but it was made specifically by esc. guy for a customer, so cant share it sadly, but answers you got are logical.

Andy

Re: HTTPS inbound

emmap — Tue, 14 May 2024 06:23:26 GMT

Please don't confuse 'Inbound' with 'reply' traffic. Anything referring to 'Inbound' is referring to connections established from outside your network, connecting in to a server you are hosting, for example you might be hosting a web server that people are connecting in to. In this case you'd need a publicly trusted server certificate.

'Outbound' is any connection opened from within your network out to the internet, and covers all the packets related to that connection. So a user downloading a file from the internet is an 'outbound' connection, because the user established the connection to the web server. This connection and the download of the file would be covered by the Outbound HTTPS Inspection configuration, and the CA certificate used for this. Only the user on your network needs to trust this CA cert, the external server is not doing any validation of the CA cert as it does not see it at all. It simply presents its server cert (ideally provided by a publicly trusted CA) to the world and it's up to the user PC to trust that cert.

Re: HTTPS inbound

the_rock — Tue, 14 May 2024 11:12:29 GMT

Excellent explanation.