This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ilovecheckpoint
Participant
2 weeks ago

err_ssl_protocol_error on a website

Hello, 

A user needs to access a site which has a revoked certificate.

I accept to access on it, he does not need to authenticate or add any sensitive datas on it.

HTTPS inspection is not  activate, but url filtering yes and it shows as Detect the revoked certificate 

IPS and antivirus blades are activated as well.

The same pc connected to a different Internet connection can surf on it.

Categorizsed HTTPS website is activated as well, on general properties.

How can I grant user access to this site?

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
2 weeks ago

You posted this question in Harmony Browse space, yet you're asking this as if this is going through a gateway.
Confirm the product and versions/JHF in use.

In any case, by default, we validate the certificate ourselves and deny access if the certificate is revoked.
This can be changed.
In R82, this can be done in SmartConsole:

image.png

In R81.20 and earlier, it must be done in SmartDashboard:

image.png

In either case, it requires publishing and installing the Access Policy to take effect.

0 Kudos
the_rock
Legend
Legend
2 weeks ago
In response to PhoneBoy

I think that server certificate setting is only applicable though if they have https inspection enabled?

Andy

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to the_rock

It's also used as part of Verified SNI.

0 Kudos
Ilovecheckpoint
Participant
Thursday
In response to PhoneBoy

Thank you for the information.

My version is R81.20 Take 99.

So even if HTTPS inspection has not been configured, the default option "Revoked server certificate" is performed, so it drop the communication.

Checking log, it shows only Detect and this let me think that the behaviour is not to block it, but just to inform, but I'm wrong.

If I'm going to disable this option, I understand it is global for all sites, I was hoping there was a way to create an exception.

 

0 Kudos
PhoneBoy
Admin
Admin
Thursday
In response to Ilovecheckpoint

Perhaps I was mistaken that this setting is used for Verified SNI.
It definitely is for HTTPS Inspection, and yes this is a global setting.
No action is required here, but that explains the error.

0 Kudos
the_rock
Legend
Legend
Friday
In response to Ilovecheckpoint

I would definitely see if you can install R81.20 with recommended jumbo hotfix 105 and see if that fixes the issue.

Andy

0 Kudos
Ilovecheckpoint
Participant
an hour ago
In response to the_rock

I have noticed, for domains where I upgraded from R81.20 to R81.20, the install option is not enabled by default.

On domains where the firewall have been installed on R81.20, this option is enabled by default.

0 Kudos
the_rock
Legend
Legend
an hour ago
In response to Ilovecheckpoint

Thats right.

0 Kudos
the_rock
Legend
Legend
2 weeks ago

Do you have screenshot of it?

Andy

0 Kudos
Lesley
Authority Authority
Authority
Friday

Try to make bypass rule above the current https inspection rule. Instead of url use the ip of the relevant website.

 

-------
If you like this post please give a thumbs up(kudo)! 🙂

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events