https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77925#M3210 <P>Not an option unfortunately. And I am not sure it is supported on SMB.</P> Wed, 11 Mar 2020 04:23:19 GMT HristoGrigorov 2020-03-11T04:23:19Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77396#M3177 <P>Any of you guys managed to configure inbound HTTPS Inspection on R77.20?</P> <P>I want to do it between two internal hosts and I seem to miserably fail to achieve it <span class="lia-unicode-emoji" title=":beaming_face_with_smiling_eyes:">😁</span></P> Fri, 06 Mar 2020 06:17:09 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77396#M3177 HristoGrigorov 2020-03-06T06:17:09Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77435#M3180 <P>Hi,</P><P>I am guessing, that you are asking for SMB appliances.</P><P>If the device is localy managed, than it is not supported. If it is centraly managed, than it is suppored.</P><P>More details you can find on bellow link.</P><P><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk105380" target="_blank">https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk105380</A></P><P>&nbsp;</P><P>Regards,</P><P>Mario</P> Fri, 06 Mar 2020 10:43:58 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77435#M3180 MarioB_1 2020-03-06T10:43:58Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77457#M3181 <P>Update to R80.30!</P> Fri, 06 Mar 2020 13:38:48 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77457#M3181 TomTom 2020-03-06T13:38:48Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77480#M3182 The SMB appliances have a slightly different code base.<BR />These cannot be upgraded to R80.30. Fri, 06 Mar 2020 16:01:26 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77480#M3182 PhoneBoy 2020-03-06T16:01:26Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77483#M3183 <P>Thanx for your comments guys. I forgot to mention I am asking about centrally managed 1470 appliance. I know it is supported, I just want someone that actually did it and can confirm it works. </P> Fri, 06 Mar 2020 16:05:51 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77483#M3183 HristoGrigorov 2020-03-06T16:05:51Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77492#M3184 <P>It works fine from external hosts to internal.</P><P>I had many issues with internal to internal inspection. It seems besides presenting the server certificate the gateway also tried to generated an outbound certificate, doing a double inspection or something like this.</P> Fri, 06 Mar 2020 17:17:37 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77492#M3184 Pedro_Espindola 2020-03-06T17:17:37Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77494#M3185 <P>Thanx Pedro, that confirms my observations. Unfortunately I have Nginx that serves few internal host so inspection before it is not possible.</P> Fri, 06 Mar 2020 17:23:50 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77494#M3185 HristoGrigorov 2020-03-06T17:23:50Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77497#M3186 So traffic hits the NGINX server before going to the gateway for ssl inspection?<BR />For that to work, I think the interface that connects to the NGINX would have to be configured as external. Fri, 06 Mar 2020 17:33:12 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77497#M3186 Pedro_Espindola 2020-03-06T17:33:12Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77498#M3187 <P>INTERNET --&gt; CPFW --&gt; NGINX --&gt; WEB 1 .. N</P> <P>Each WEB server has its own certificate.</P> Fri, 06 Mar 2020 17:44:33 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77498#M3187 HristoGrigorov 2020-03-06T17:44:33Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77912#M3209 <P>What about using wildcard certificates or multiple alternate names?</P> Tue, 10 Mar 2020 19:28:56 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77912#M3209 Pedro_Espindola 2020-03-10T19:28:56Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77925#M3210 <P>Not an option unfortunately. And I am not sure it is supported on SMB.</P> Wed, 11 Mar 2020 04:23:19 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77925#M3210 HristoGrigorov 2020-03-11T04:23:19Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77985#M3219 <P><SPAN>Then I guess you'll need to have NGINX in a separate network defined as EXTERNAL and do this:</SPAN></P> <P><SPAN>INTERNET --&gt; CPFW --&gt; NGINX --&gt; CPFW (SSL inspection) --&gt; WEB 1 .. N</SPAN></P> Wed, 11 Mar 2020 14:49:18 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/77985#M3219 Pedro_Espindola 2020-03-11T14:49:18Z https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/78002#M3222 <P>Yeah, that seems to be the only option for the time being. Thanx for giving that idea.</P> Wed, 11 Mar 2020 16:25:21 GMT https://community.checkpoint.com/t5/Spark-Firewall-SMB/Inbound-HTTPS-Inpsection/m-p/78002#M3222 HristoGrigorov 2020-03-11T16:25:21Z