topic HTTPS Inspection Harmony Connect Beta in SASE and Remote Access

HTTPS Inspection Harmony Connect Beta

Tony_Graham — Wed, 17 Mar 2021 20:24:34 GMT

One of the downsides of HTTPS inspection has been the perceived complexity with basically setting up what is a MITM configuration. Harmony does a pretty good job at presenting the setup of HTTPS inspection but doesn't quite go into enough detail. You have a nice selection box for enabling it versus Basic but when it comes time to implement it you just say, Download Certs or Upload your own. There is zero help and assumes a great deal of prior knowledge which a newcomer may not have. I think this is an area that can be improved.

Re: HTTPS Inspection Harmony Connect Beta

PhoneBoy — Wed, 17 Mar 2021 22:43:48 GMT

Ultimately, what is required for HTTPS Inspection is a Certificate Authority key.
You can either generate that yourself (if you have an enterprise CA your users already trust) or use ours.
In either case, you will have to distribute this CA key to your users and ensure it is marked trusted.

And, you're correct: this could be clearer.
Another one for @Tomer_Sole

Re: HTTPS Inspection Harmony Connect Beta

Tomer_Sole — Wed, 17 Mar 2021 23:44:40 GMT

Thank you for this suggestion - indeed we should explain in more detail about the underlying technology. Our on-premises products have had detailed best practices for years, and even though we run the same software under the hood, the use cases are sharpened for mostly outbound traffic (inbound is coming later this year) and the web management is different than the on-premises management described at those guides. So until we spin-off the guides from our on-premises products, you are welcome to see this one: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk108202

Also until we work out the guides, a few advices below

Harmony Connect has 3 deployment types:

- Branch offices - where the administrator needs to deploy the certificate at the computers of the end users

- Remote users - the default certificate is actually automatically deployed as part of the first-time activation of Harmony Connect App. In case the admin modifies the certificate, they then do need to deploy the replaced certificate at the computers of the end users

- Client-less users - this use case is not applicable and SSL Inspection happens the other way around. Users do not need a special certificate in this case.

Re: HTTPS Inspection Harmony Connect Beta

Tony_Graham — Thu, 18 Mar 2021 15:36:57 GMT

Thank you for the clarifications. If you put one line in the 'Download Full Inspection Certificate', and/or the popup when you click

on 'Select' I think it would go a long way.

"A default certificate is automatically deployed as part of the first-time activation of Harmony Connect App."

Otherwise if all someone is using it for are Remote Users they may try and deploy, install and update the end user certificates

which is both unnecessary and a waste of effort. If I am understanding you correctly.

Re: HTTPS Inspection Harmony Connect Beta

Tomer_Sole — Thu, 18 Mar 2021 18:29:25 GMT

That is correct - thanks