https://community.checkpoint.com/t5/General-Topics/HTTPS-incoming-inspection-with-static-NAT/m-p/32840#M6863 <HTML><HEAD></HEAD><BODY><P>Did you make the policy changes mentioned in the SK?</P><P>If you do that he hotfix should not be required.</P></BODY></HTML> Thu, 04 Oct 2018 18:03:13 GMT PhoneBoy 2018-10-04T18:03:13Z https://community.checkpoint.com/t5/General-Topics/HTTPS-incoming-inspection-with-static-NAT/m-p/32839#M6862 <HTML><HEAD></HEAD><BODY><P><SPAN style="color: #1f497d;">Hello experts,&nbsp;</SPAN></P><P></P><P><SPAN style="color: #1f497d;">Do you know if there are some limitation in terms of using <SPAN style="background: yellow;">#HTTPS incoming inspection with static NAT#</SPAN>?</SPAN></P><P><SPAN style="color: #1f497d;">Does some special configuration required when configuring &nbsp;HTTPS incoming inspection with static NAT?</SPAN></P><P><SPAN style="color: #1f497d;">&nbsp;</SPAN></P><P><SPAN style="color: #1f497d;">In my LAB as you can see in the logs below:</SPAN></P><P><SPAN style="color: #1f497d;">- incoming inspection without NAT to 10.1.11.3 is inspected, </SPAN></P><P><SPAN style="color: #1f497d;">- incoming inspection with NAT to 10.1.2.10 is NOT inspected. </SPAN></P><P><SPAN style="color: #1f497d;">&nbsp;</SPAN></P><P><SPAN style="color: #1f497d;">I tried it with static and automatic NAT and became the same result. </SPAN></P><P><SPAN style="color: #1f497d;">&nbsp;</SPAN></P><P><SPAN style="color: #1f497d;">By the way: </SPAN></P><P><SPAN style="color: #1f497d;">There is an SK on that about automatic NAT problem stating that a HF might be required. </SPAN></P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110237">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110237</A></P><P><SPAN style="color: #1f497d;">Is a hot fix required? </SPAN></P><P></P><P><SPAN style="color: #1f497d;"><IMG alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/71203_Capture.JPG" /></SPAN></P></BODY></HTML> Thu, 04 Oct 2018 15:47:43 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-incoming-inspection-with-static-NAT/m-p/32839#M6862 Yevgeniy_Yeryom 2018-10-04T15:47:43Z https://community.checkpoint.com/t5/General-Topics/HTTPS-incoming-inspection-with-static-NAT/m-p/32840#M6863 <HTML><HEAD></HEAD><BODY><P>Did you make the policy changes mentioned in the SK?</P><P>If you do that he hotfix should not be required.</P></BODY></HTML> Thu, 04 Oct 2018 18:03:13 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-incoming-inspection-with-static-NAT/m-p/32840#M6863 PhoneBoy 2018-10-04T18:03:13Z https://community.checkpoint.com/t5/General-Topics/HTTPS-incoming-inspection-with-static-NAT/m-p/32841#M6864 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P>yes I did.&nbsp;<BR />As shown in the screenshot, the source IP and destination IP (NAT IP representing the server) are in the same subnet.&nbsp;</P><P></P><P>I changed the destination IP to an IP from a different subnet and the HTTPS inspection started to work. <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" />&nbsp;</P><P></P><P>To put together, the incoming HTTPS inspection seems to NOT work for the source and destination from the same subnet. I think this is fine for usual use cases.&nbsp;</P></BODY></HTML> Fri, 05 Oct 2018 07:38:30 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-incoming-inspection-with-static-NAT/m-p/32841#M6864 Yevgeniy_Yeryom 2018-10-05T07:38:30Z https://community.checkpoint.com/t5/General-Topics/HTTPS-incoming-inspection-with-static-NAT/m-p/32842#M6865 <HTML><HEAD></HEAD><BODY><P>I'm not familiar with a limitation relating to HTTPS Inspection being not possible in the same subnet.</P><P>Clearly, it's possible.</P><P>It may be worth a TAC case, particularly if it's a customer situation.</P></BODY></HTML> Fri, 05 Oct 2018 14:58:25 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-incoming-inspection-with-static-NAT/m-p/32842#M6865 PhoneBoy 2018-10-05T14:58:25Z https://community.checkpoint.com/t5/General-Topics/HTTPS-incoming-inspection-with-static-NAT/m-p/32843#M6866 <HTML><HEAD></HEAD><BODY><P>Actually it was a test for customer, but customer will use NOT have the clients and firewall in the same subnet.&nbsp;</P><P>So, this behavior is ok for the project.&nbsp;</P></BODY></HTML> Mon, 08 Oct 2018 13:55:39 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-incoming-inspection-with-static-NAT/m-p/32843#M6866 Yevgeniy_Yeryom 2018-10-08T13:55:39Z