topic Any workaround for this in General Topics

Any workaround for this

HUNT_LEE — Wed, 12 Feb 2020 04:07:59 GMT

Currently our Guestnet (for Wifi) cannot stops people from accessing “naughty” HTTPS websites because the checkpoint can’t decrypt the outbound HTTPS traffic from non-corporate devices.

Is there any way to get around this problem? As manually forcing guest users to install our Checkpoint certificate is not feasible / not enforceable, what other options do we have? (reading my mind out aloud, if we upgrade our GWs to R80.20, will SNI fix / bypass this issue so the URL inspection / categorization can be used?)

Cheers,

Hunt

Re: Any workaround for this

PhoneBoy — Wed, 12 Feb 2020 04:13:55 GMT

Either upgrade to R80.20 with the recent JHF that has the SNI fix or use R80.30+ which also includes it.

Re: Any workaround for this

Tal_Paz-Fridman — Wed, 12 Feb 2020 07:07:50 GMT

Adding to what PhoneBoy wrote you can also refer to sk163594 - What's new in HTTPS Inspection starting from R80.20:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk163594

"Starting in R80.20 and R80.30 latest Jumbo Hotfix Accumulators, HTTPS Inspection offers important new features in the domains of security and usability.

To take advantage of these new capabilities, upgrade to R80.20 Jumbo Hotfix Accumulator Take 118 (and higher), or R80.30 Jumbo Hotfix Accumulator Take 111 (and higher)."

Re: Any workaround for this

Wolfgang — Wed, 12 Feb 2020 07:14:42 GMT

Hunt_Lee,

you're right, as @PhoneBoy mentioned SNI with URL-Filter is your solution without HTTPS-inspection.

Don't forget to enable "categorize HTTPS websites"

Wolfgang

Re: Any workaround for this

HUNT_LEE — Thu, 13 Feb 2020 05:15:46 GMT

Hi all,

If i install a public CA certificate (e.g. Verisign, GoDaddy) onto my CheckPoint, and change all the outbound rules to used this new certificate for outbound traffic.

Would then my guest users traffic be able to be inspected by CheckPoint? Or would they still need to install this CA certificate manually by themselves (which is not enforceable).

Cheers,

Hunt

Re: Any workaround for this

Wolfgang — Thu, 13 Feb 2020 06:27:58 GMT

Yes, that's possible. If you use an SUB-CA issued from a root CA which is trusted by your client devices everything would be fine.

Any certificate issued from a trusted CA or trusted sub CA will be trusted on you clients. All depends on the trusted root CAs on your clients. You can use the defaults from Windows, Linux, MACs, Android, IOS etc. already installed on your clients or you can install your own. But with your own you have to touch these devices.

Wolfgang.

Re: Any workaround for this

PhoneBoy — Thu, 13 Feb 2020 19:41:23 GMT

No globally trusted Certificate Authority would issue you a sub-CA for this purpose.
Any time such certificates do manage to get out in the wild, they tend to get banned fairly quickly and generate bad press for the organizations involved.

Re: Any workaround for this

Maarten_Sjouw — Thu, 13 Feb 2020 22:09:02 GMT

No Verisign or GoDaddy alike company will give you a Sub CA as that would mean you do not need them anymore to generate certificates.
Most often used Sub-CA is from a Microsoft Certificate server. All Windows machines that trust your AD will also trust that Certificate.

The Guest users still need to trust your AD - CA, or you need to bypass their traffic from HTTPS decryption, based on source network.

Re: Any workaround for this

HUNT_LEE — Thu, 13 Feb 2020 22:55:24 GMT

Hi all,

If i have a *.mycompany.com.au certificate issued by Digicert, can i use this certificate as wouldn't the public users trusted the cert issued by a CA like Digicert?

Cheers,

Hunt

Re: Any workaround for this

PhoneBoy — Thu, 13 Feb 2020 23:52:07 GMT

The certificate used must be a Certificate Authority certificate capable of signing certificates.
What you have is a wildcard certificate, which cannot be used for outbound HTTPS Inspection.

Re: Any workaround for this

Wolfgang — Fri, 14 Feb 2020 07:10:39 GMT

Hunt,

I very much apologize for misunderstanding my writing. Yes, the guys here are really right, you can't by such SUB-CA.

I have one customer they did this, but they are the owner of one of these Root-CAs.

As @PhoneBoy and @Maarten_Sjouw mentioned you have to follow their suggestions and implement your owned Sub-CA.

Wolfgang