https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168824#M1383 <P>Did you check:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk178625&amp;partition=Advanced&amp;product=Quantum" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk178625&amp;partition=Advanced&amp;product=Quantum</A>&nbsp;</P> Tue, 24 Jan 2023 00:28:05 GMT PhoneBoy 2023-01-24T00:28:05Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168696#M1381 <P>We have a single gateway acting as a perimeter firewall and a maestro setup with 1 security group. Both are being managed by a Single SMS. Our testing aims to access Facebook but block Facebook-Posting. This requires HTTPS inspection and we enabled it&nbsp;on both gateway and maestro.</P><P>Behind the gateway we have a test PC and it is working properly. Facebook posting is blocked, However, on the test PC behind Maestro, it's not working. Please see attached images for reference.&nbsp;</P><P>Anyone experienced this before? Thanks in advance.&nbsp;</P><P>&nbsp;</P> Mon, 23 Jan 2023 08:04:00 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168696#M1381 jnra 2023-01-23T08:04:00Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168743#M1382 <P>Maestro logs say Unreached OSCP, which for me means the certificate is not recognized which means GW behind Maestro doesn't decrypt the traffic. Dig in this direction.</P> Mon, 23 Jan 2023 14:22:01 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168743#M1382 MartinTzvetanov 2023-01-23T14:22:01Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168824#M1383 <P>Did you check:&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk178625&amp;partition=Advanced&amp;product=Quantum" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk178625&amp;partition=Advanced&amp;product=Quantum</A>&nbsp;</P> Tue, 24 Jan 2023 00:28:05 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168824#M1383 PhoneBoy 2023-01-24T00:28:05Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168826#M1384 <P>Yes. I tried getting the current value with fw ctl get command but I'm getting an error. Will update you once I get to work on our setup later.&nbsp;</P> Tue, 24 Jan 2023 01:03:32 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168826#M1384 jnra 2023-01-24T01:03:32Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168827#M1385 <P>I performed sk<SPAN>178625 and change the value of appi_urlf_ssl_cn_perform_hold_for_cert_validation from 0 to 1 but still I encountered the same issue. I still get lots of "Unreached OCSP" https validation.&nbsp;</SPAN></P><P><SPAN>I have opened a TAC case for this concern as well.&nbsp;</SPAN></P> Tue, 24 Jan 2023 01:22:21 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168827#M1385 jnra 2023-01-24T01:22:21Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168926#M1389 <P>Do you have Layer 4 distribution enabled?&nbsp; It is by default...</P> Tue, 24 Jan 2023 12:48:58 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/168926#M1389 Timothy_Hall 2023-01-24T12:48:58Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/169000#M1393 <P>Yes. L4 mode was enabled. I also tried setting the interfaces distribution mode manually by setting external interface as network and internal interface as user.&nbsp;</P> Wed, 25 Jan 2023 01:06:42 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/169000#M1393 jnra 2023-01-25T01:06:42Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/169002#M1394 <P>Is the connection being HTTPS Inspected on both the Maestro SG and the perimeter gateway? Double inspection is not supported, so either just do it on the perimeter gateway or make sure that you exclude the Maestro IPs and the networks behind the Maestro from inspection on the perimeter gateway,</P> Wed, 25 Jan 2023 01:56:26 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/169002#M1394 emmap 2023-01-25T01:56:26Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/169003#M1395 <P>On my initial setup, Maestro SG is behind perimeter firewall. Currently, I have&nbsp; a direct internet connection for Maestro SG.</P> Wed, 25 Jan 2023 02:03:27 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/169003#M1395 jnra 2023-01-25T02:03:27Z https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/169011#M1396 <P>Thank you everyone. the issue was resolved after blocking Quic and Quic Protocol.&nbsp;</P> Wed, 25 Jan 2023 03:01:49 GMT https://community.checkpoint.com/t5/Hyperscale-Firewall-Maestro/Maestro-HTTPS-Inspection/m-p/169011#M1396 jnra 2023-01-25T03:01:49Z