topic Re: HTTPS inspection with trusted certificate in General Topics

HTTPS inspection with trusted certificate

Ewane_Junior — Tue, 23 Jan 2018 09:49:25 GMT

Hello Guys, I need your help regarding https.

We have a checkpoint deployment and want to enable https inspection but need a trusted certificate.

Please do advice on how/where to get this trusted certificates and types with details on how to make filtering sub https pages.

Thanks

Regards

Re: HTTPS inspection with trusted certificate

Vladimir — Tue, 23 Jan 2018 13:55:51 GMT

Ewane,

In order to implement HTTPS inspection, you need to either use Root or sub-CA.

The easiest way to get this to work is to issue a self-signed certificate on your Check Point gateway and distribute it to PCs and servers in your organization via GPO, (or installed manually or scripted).

Alternatively, if you have an established PKI in your organization, you can create certificate in there and import it in Check Point gateways.

If you were thinking about using host certificate purchased from one of the vendors such as Comodo, GoDaddy, etc, this will not work.

I strongly suggest reading HTTPS Inspection FAQ and HTTPS inspection with 3rd party certificate shows browser error .

Re: HTTPS inspection with trusted certificate

Vladimir — Tue, 23 Jan 2018 14:44:22 GMT

You can watch this short video that illustrates the process using manual root CA certificate installation process:

https://youtu.be/hzpCxlLTge0

Re: HTTPS inspection with trusted certificate

PhoneBoy — Sat, 27 Jan 2018 06:38:45 GMT

If you were thinking about using host certificate purchased from one of the vendors such as Comodo, GoDaddy, etc, this will not work.

Using such sub-CA keys for HTTPS Inspection purposes is explicitly against the Terms of Service of public CAs.

Re: HTTPS inspection with trusted certificate

John_Curtiss — Mon, 29 Jan 2018 21:13:52 GMT

I found that when using https inspection that if an sub-https page is called for certificate exchange - in the client hello SNI field that the exchange will fail as the firewall detects the first packet is not a syn. The way I have bypassed this is downloading the "Application Control Signature Tool" from Checkpoint. You build your own app from the contents of the SNI field as if it were a Checkpoint built app. (Unfortunately you cannot add custom categories so I just use Government.) In my https inspection policies I bypass Government. It not perfect but it is allowing https inspection to run for all applications. Of course I have to build an app any time something fails.

Re: HTTPS inspection with trusted certificate

Ewane_Junior — Fri, 02 Feb 2018 08:38:50 GMT

Hello John,

It is possible to create a custom category and include all your self-signed build app instead of using Checkpoint already assigned category.

Re: HTTPS inspection with trusted certificate

John_Curtiss — Fri, 02 Feb 2018 16:35:41 GMT

How?

Re: HTTPS inspection with trusted certificate

Ewane_Junior — Fri, 02 Feb 2018 16:55:21 GMT

Go to the application tab

click on application/sites

click on new and select category

add a name and click finish

Now when you are creating your application use that category new.

Re: HTTPS inspection with trusted certificate

John_Curtiss — Fri, 02 Feb 2018 17:15:53 GMT

However, the custom categories do not appear in the list using the ACST.exe tool. Only Checkpoints standard categories. I am using ACST_v1.3.1.