cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted
HUNT_LEE
Iron

Any workaround for this

Currently our Guestnet (for Wifi) cannot stops people from accessing “naughty” HTTPS websites because the checkpoint can’t decrypt the outbound HTTPS traffic from non-corporate devices.

Is there any way to get around this problem? As manually forcing guest users to install our Checkpoint certificate is not feasible / not enforceable, what other options do we have? (reading my mind out aloud, if we upgrade our GWs to R80.20, will SNI fix / bypass this issue so the URL inspection / categorization can be used?)

Cheers,

Hunt

0 Kudos
10 Replies
Admin
Admin

Re: Any workaround for this

Either upgrade to R80.20 with the recent JHF that has the SNI fix or use R80.30+ which also includes it.
Employee++
Employee++

Re: Any workaround for this

Adding to what PhoneBoy wrote you can also refer to sk163594 - What's new in HTTPS Inspection starting from R80.20:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

"Starting in R80.20 and R80.30 latest Jumbo Hotfix Accumulators, HTTPS Inspection offers important new features in the domains of security and usability

To take advantage of these new capabilities, upgrade to R80.20 Jumbo Hotfix Accumulator Take 118 (and higher), or R80.30 Jumbo Hotfix Accumulator Take 111 (and higher)."

 

 

 

Wolfgang
Gold

Re: Any workaround for this

Hunt_Lee,

you're right, as @PhoneBoy mentioned SNI with URL-Filter is your solution without HTTPS-inspection.

Don't forget to enable "categorize HTTPS websites"

APPCL_HTTPS.png

Wolfgang

HUNT_LEE
Iron

Re: Any workaround for this

Hi all,

If i install a public CA certificate (e.g. Verisign, GoDaddy) onto my CheckPoint, and change all the outbound rules to used this new certificate for outbound traffic.

Would then my guest users traffic be able to be inspected by CheckPoint? Or would they still need to install this CA certificate manually by themselves (which is not enforceable).

Cheers,

Hunt

0 Kudos
Wolfgang
Gold

Re: Any workaround for this

Yes, that's possible. If you use an SUB-CA issued from a root CA which is trusted by your client devices everything would be fine.

Any certificate issued from a trusted CA or trusted sub CA will be trusted on you clients. All depends on the trusted root CAs on your clients. You can use the defaults from Windows, Linux, MACs, Android, IOS etc. already installed on your clients or you can install your own. But with your own you have to touch these devices.

Wolfgang.

0 Kudos
Admin
Admin

Re: Any workaround for this

No globally trusted Certificate Authority would issue you a sub-CA for this purpose.
Any time such certificates do manage to get out in the wild, they tend to get banned fairly quickly and generate bad press for the organizations involved.
0 Kudos

Re: Any workaround for this

No Verisign or GoDaddy alike company will give you a Sub CA as that would mean you do not need them anymore to generate certificates.
Most often used Sub-CA is from a Microsoft Certificate server. All Windows machines that trust your AD will also trust that Certificate.

The Guest users still need to trust your AD - CA, or you need to bypass their traffic from HTTPS decryption, based on source network.
Regards, Maarten
0 Kudos
HUNT_LEE
Iron

Re: Any workaround for this

Hi all,

If i have a *.mycompany.com.au certificate issued by Digicert, can i use this certificate as wouldn't the public users trusted the cert issued by a CA like Digicert?

Cheers,

Hunt

0 Kudos
Admin
Admin

Re: Any workaround for this

The certificate used must be a Certificate Authority certificate capable of signing certificates.
What you have is a wildcard certificate, which cannot be used for outbound HTTPS Inspection.
0 Kudos
Wolfgang
Gold

Re: Any workaround for this

Hunt,

I very much apologize for misunderstanding my writing. Yes, the guys here are really right, you can't by such SUB-CA.

I have one customer they did this, but they are the owner of one of these Root-CAs. 

As @PhoneBoy and @Maarten_Sjouw mentioned you have to follow their suggestions and implement your owned Sub-CA.

Wolfgang

0 Kudos