This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
genisis__
MVP Silver
MVP Silver
‎2026-03-06 01:49 AM
Jump to solution

HTTPS Inspection and Multiple Ingress Interfaces

Query -  If I have a GW with HTTPs inspect enabled, but have multiple ingress interfaces that traffic needs to be inspected how does this work.
I assume that when the CA certificate is generated this will have a FQDN, this FQDN would then be resolved by DNS, to an IP, so if the GW interface IP is different would this cause a problem?

I've not seen an SK in order to create a CA certificate with SANs, or I could have tried that with multiple 'A' records in DNS.

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2026-03-06 10:21 AM
Jump to solution

Forked this into a new thread, given the age of the thread this was posted to.

The answer is the number of ingress/egress interfaces shouldn't matter here.

For outbound inspection (i.e. users browsing the Internet), the certificate is generated "on the fly" using the same DN, etc as the original certificate.
Provided the end user trusts the gateway's CA, the certificate should validate.

For inbound inspection (i.e. users from the Internet browsing YOUR servers), you're using either the original server certificate OR one that a random user on the Internet should be able to validate.
Here, SANs might be useful (especially if the certificate serves multiple sites). 

View solution in original post

0 Kudos
1 Reply
PhoneBoy
Admin
Admin
‎2026-03-06 10:21 AM
Jump to solution

Forked this into a new thread, given the age of the thread this was posted to.

The answer is the number of ingress/egress interfaces shouldn't matter here.

For outbound inspection (i.e. users browsing the Internet), the certificate is generated "on the fly" using the same DN, etc as the original certificate.
Provided the end user trusts the gateway's CA, the certificate should validate.

For inbound inspection (i.e. users from the Internet browsing YOUR servers), you're using either the original server certificate OR one that a random user on the Internet should be able to validate.
Here, SANs might be useful (especially if the certificate serves multiple sites). 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events