topic Re: HTTPS inspection TLS warning in Firewall and Security Management

HTTPS inspection TLS warning

Moudar — Wed, 15 May 2024 08:35:53 GMT

I have enabled HTTPS and exported the certificate to a test machine. When visiting various websites it works as expected.

But a websites like checkpoint.com or cisco.com would show a warning

it works fine with google for example!

so I wonder why will some work and some not?

the log looks like this:

I suspect that we need to buy a well trusted certificate to make that work?!

Re: HTTPS inspection TLS warning

Timothy_Hall — Wed, 15 May 2024 12:49:05 GMT

Code level?

Make sure your list of trusted CAs for HTTPS Inspection is up to date, the ability to update these is still located in the SmartDashboard accessible from Manage & Settings...Blades...HTTPS Inspection...Configure in SmartDashboard...HTTPS Inspection...Trusted CAs. Later code levels keep this CA list up to date automatically.

Could also be this: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

Re: HTTPS inspection TLS warning

the_rock — Wed, 15 May 2024 12:53:48 GMT

No, you dont need to buy trusted CA for this to work, I have https inspectin lab and I use one generated from the mgmt server and works fine. Is it just one website or multiple? Make sure below is checked in legacy smart console.

Andy

Re: HTTPS inspection TLS warning

Moudar — Wed, 15 May 2024 13:14:17 GMT

version 81.20

Now I have installed the latest updates and done this:

but still getting the same tls warning!

Re: HTTPS inspection TLS warning

the_rock — Wed, 15 May 2024 13:17:32 GMT

You see this on EVERY site or just some?

Andy

Re: HTTPS inspection TLS warning

Moudar — Wed, 15 May 2024 13:28:44 GMT

it is not working for example:

microsoft.com

cisco.com

as what i could notice!

I am getting this error:

NET::ERR_CERT_AUTHORITY_INVALID

Re: HTTPS inspection TLS warning

the_rock — Wed, 15 May 2024 14:37:03 GMT

You see that on every browser?

Re: HTTPS inspection TLS warning

Moudar — Wed, 15 May 2024 14:40:29 GMT

Google chrome and Edge

Re: HTTPS inspection TLS warning

the_rock — Wed, 15 May 2024 14:41:31 GMT

Can you send screenshot of https inspection policy?

Andy

Re: HTTPS inspection TLS warning

Moudar — Wed, 15 May 2024 18:52:51 GMT

Re: HTTPS inspection TLS warning

the_rock — Wed, 15 May 2024 18:56:04 GMT

Did it ever work or its brand new issue?

Andy

Re: HTTPS inspection TLS warning

Moudar — Wed, 15 May 2024 19:11:45 GMT

this is the first time I am testing HTTPS inspection, maybe I need to add some certificate under Trusted CAs, but which one, I have tested many but stil have same problem

Re: HTTPS inspection TLS warning

the_rock — Wed, 15 May 2024 19:28:54 GMT

You dont, they are all auto updated. I attached doc with how I have it configured, so maybe you can see if something is "missing". I will also make separate post about it.

Andy

Re: HTTPS inspection TLS warning

CaseyB — Wed, 15 May 2024 20:57:44 GMT

If your setup is bugged like mine (R81.10 JHF 141), the automatic install does not work, and you have to manually add the certificates from the list. Just click on all of them or the ones you need, then publish install.

Re: HTTPS inspection TLS warning

Moudar — Wed, 15 May 2024 21:54:07 GMT

I am running this version:

Product version Check Point Gaia R81.20
OS build 631

So I don't know if it is bugged or not!

Did you have a similar problem where many websites work but some don't?

Which certificates did you add?'

Re: HTTPS inspection TLS warning

the_rock — Wed, 15 May 2024 22:01:56 GMT

I have R81.20 jumbo 54 in the lab, all works well. Did you check file I uploaded?

Andy

Re: HTTPS inspection TLS warning

CaseyB — Wed, 15 May 2024 23:23:33 GMT

If you click the "add" button and stuff is in the list, it is bugged, as the list should be empty. Yes, I was having the same exact issue you were having. I also noticed it because of Check Point and Cisco websites. Honestly, you should add all of them in the list, but if you only want to add a few I had to do the following: go to the website on a computer not being HTTPS inspected, view the certificate, that will supply you with who the Root CA is for the site, and then add that.

If you open a TAC case, they can supply you with a script that will add all of them in the list if you don't want to manually do it.

Re: HTTPS inspection TLS warning

the_rock — Wed, 15 May 2024 23:39:48 GMT

I think they all get updated automatically, specially in R81.20

Re: HTTPS inspection TLS warning

the_rock — Thu, 16 May 2024 00:22:06 GMT

Bro, message me tomorrow, you got my gmail, lets do remote. IM available any time up until 4 pm GMT or between 5-8 GMT. Im in EST, which is GMT-4

Best,

Andy

Re: HTTPS inspection TLS warning

Moudar — Thu, 16 May 2024 09:11:43 GMT

I am not allowed to do remote because this the production environment.

But now I have succeeded adding "Digicert Global Root G2" manually which resulted to connect correctly to microsoft.com

I have used the way @CaseyB decribed above!