Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

HTTPS Inspection Setup

Jump to solution

Hello

I am looking for some advice/guidance on HTTPS Inspection Setup.

Currently we use a 3rd party product for our web filtering but we want to look at trialing the Check Point URL/Application Control to replace this.

So far, I have enabled the following blades to work for this, Application Control, URL Filtering, Identity Awareness, Content Awareness, IPS, Anti-Bot & Anti-Virus.

Next on the list to look at is HTTPS Inspection. I want to be careful that when I enable this, I don't want to effect our current filtering with decrypting the traffic. We also have 5 Gateways that I would look at enabling over a few days. I have listed a few steps that I think would work and was seeing if these would make sense?

  • On my first GW, enable HTTPS Inspection.
  • Create a new certificate and enable HTTPS Inspection. It's my understanding, that this certificate could then be used on my 4 other GW's?
  • Check HTTPS inspection Policy and amend the rule I have here for Action - Change to Bypass
  • Push Policy

These steps, it would enable HTTPS Inspection but as I have set the policy rule to Bypass Inspection, it should not effect my current filtering solution.

I could then follow the same type of steps for my other 4 GW's.

Once this has been enabled across my FW estate, I could look at either using Identity Awareness with users or provide IP's to perform some testing. The certificate I generated on the GW for HTTPS Inspection, I would deploy to my test group.  I would also create HTTPS Inspection rules using the source as either my user or IP as above.

I have also watched this video that also suggests some other things like Hold v Background etc

https://community.checkpoint.com/t5/Member-Exclusive-Content/HTTPS-Inspection-Best-Practices-TechTal...

Would this roll out make sense or am I missing some steps here?

Thanks

0 Kudos
2 Solutions

Accepted Solutions
Highlighted
Admin
Admin
What you're creating is the Certificate Authority that the gateway will use to generate "on the fly" site certificates.
I believe this can be shared among gateways.

If you want HTTPS Inspection to occur you need to have at least one rule in the HTTPS Inspection policy with the action Inspect.
Note your last rule should be an Any Any Bypass rule.

But yes, in general, what you're suggesting makes sense.

View solution in original post

Highlighted

A little tip from me, so I was recently affected.

When building the policy, note the order: Top to down

- Bypass IP base (non application / catogorie)

- Bypass with IP and applications / catogories

- Inspected rules

- Clean Up Rule (any any bypass)

 

Dont put a Bypass Rule with  application/catogories on the top.

best regards

Nikolai

View solution in original post

2 Replies
Highlighted
Admin
Admin
What you're creating is the Certificate Authority that the gateway will use to generate "on the fly" site certificates.
I believe this can be shared among gateways.

If you want HTTPS Inspection to occur you need to have at least one rule in the HTTPS Inspection policy with the action Inspect.
Note your last rule should be an Any Any Bypass rule.

But yes, in general, what you're suggesting makes sense.

View solution in original post

Highlighted

A little tip from me, so I was recently affected.

When building the policy, note the order: Top to down

- Bypass IP base (non application / catogorie)

- Bypass with IP and applications / catogories

- Inspected rules

- Clean Up Rule (any any bypass)

 

Dont put a Bypass Rule with  application/catogories on the top.

best regards

Nikolai

View solution in original post