topic Re: HTTPSi INBOUND with more than one certificate (SG9100, R82 JHFT39) in Firewall and Security Management

HTTPSi INBOUND with more than one certificate (SG9100, R82 JHFT39)

freshwater84 — Fri, 03 Oct 2025 05:13:30 GMT

Dear Community,

We have several HTTPS-443 Services running in our datacenter, and start now to protect that with INBOUND HTTPSinspection.
So far everything works like a charm. But we also have one destination, which is a reverse proxy, and handles different HTTPS services in the backend. Unfortunately their services SSL certificates are different domains.
But I cannot place more than one SSL certificate per INBOUND rule.
Is there a way to make it work, like to make just a second rule with the same destination, but different certificate, even the rule will be identically, except the presented certificate?
Means, is the Checkpoint able, to see from the host the WAN client is calling, which rule and certificate he should present?

Thanks in advance

Re: HTTPSi INBOUND with more than one certificate (SG9100, R82 JHFT39)

PhoneBoy — Fri, 09 Jan 2026 20:01:38 GMT

You can work around this by creating a single certificate with ALL the relevant FQDNs added as SANs.
This is exactly how Google serves many different services from the same IPv4 address, as shown below:

Re: HTTPSi INBOUND with more than one certificate (SG9100, R82 JHFT39)

the_rock — Sun, 05 Oct 2025 18:35:09 GMT

You cannot sadly add more than one certificate per inbound rule, you would have to create multiple rules and use different certificate.

Best,

Andy

Re: HTTPSi INBOUND with more than one certificate (SG9100, R82 JHFT39)

SomAustrianCity — Mon, 06 Oct 2025 15:41:43 GMT

Hi,

while it is true that you can only have one certificate per rule, it is still possible to use multiple certificates.

The trick is to specify set an "Application/Site" Object in the "Category/Custom Application" colum. Now you can specify when a connection will match a rule, as the firewill will check the SNI header.

Just be aware that these Objects are made from a proxy perspective, not a reverse-proxy. Meaning, if you simply enter test.mydomain.com, it will also match newversion.test.mydomain.com. In case of a more complex setup, you may have to work with Regexes, like
for an exact hostname: "^test\.mydomain\.com$"
or for a wildcard cert: "^[^\.]+\.mydomain\.com$"

Tested on R81.20Mgmt+GW, and on R82Mgmt+R81.20GW. (Not yet used on a R82GW, but i don't see why it shoudn't work there)

I would wish for Checkpoint to implement an automatic solution for inbound inspection, but, alas, for now you have to do it manually.

Re: HTTPSi INBOUND with more than one certificate (SG9100, R82 JHFT39)

freshwater84 — Fri, 10 Oct 2025 10:16:48 GMT

Hi SomAustrianCity,

Thanks you, works like a charm on R82. In our case subdomains are fine, so without RegEx it works with *.domain.tld. Should be worth to make an SK about it...