Re: Any workaround for this

HUNT_LEE · ‎2020-02-11

Currently our Guestnet (for Wifi) cannot stops people from accessing “naughty” HTTPS websites because the checkpoint can’t decrypt the outbound HTTPS traffic from non-corporate devices.

Is there any way to get around this problem? As manually forcing guest users to install our Checkpoint certificate is not feasible / not enforceable, what other options do we have? (reading my mind out aloud, if we upgrade our GWs to R80.20, will SNI fix / bypass this issue so the URL inspection / categorization can be used?)

Cheers,

Hunt

PhoneBoy · ‎2020-02-11

Either upgrade to R80.20 with the recent JHF that has the SNI fix or use R80.30+ which also includes it.

Tal_Paz-Fridman · ‎2020-02-11

Adding to what PhoneBoy wrote you can also refer to sk163594 - What's new in HTTPS Inspection starting from R80.20:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

"Starting in R80.20 and R80.30 latest Jumbo Hotfix Accumulators, HTTPS Inspection offers important new features in the domains of security and usability.

To take advantage of these new capabilities, upgrade to R80.20 Jumbo Hotfix Accumulator Take 118 (and higher), or R80.30 Jumbo Hotfix Accumulator Take 111 (and higher)."

Wolfgang · ‎2020-02-11

Hunt_Lee,

you're right, as @PhoneBoy mentioned SNI with URL-Filter is your solution without HTTPS-inspection.

Don't forget to enable "categorize HTTPS websites"

Wolfgang

HUNT_LEE · ‎2020-02-12

Hi all,

If i install a public CA certificate (e.g. Verisign, GoDaddy) onto my CheckPoint, and change all the outbound rules to used this new certificate for outbound traffic.

Would then my guest users traffic be able to be inspected by CheckPoint? Or would they still need to install this CA certificate manually by themselves (which is not enforceable).

Cheers,

Hunt

Wolfgang · ‎2020-02-12

Yes, that's possible. If you use an SUB-CA issued from a root CA which is trusted by your client devices everything would be fine.

Any certificate issued from a trusted CA or trusted sub CA will be trusted on you clients. All depends on the trusted root CAs on your clients. You can use the defaults from Windows, Linux, MACs, Android, IOS etc. already installed on your clients or you can install your own. But with your own you have to touch these devices.

Wolfgang.

PhoneBoy · ‎2020-02-13

No globally trusted Certificate Authority would issue you a sub-CA for this purpose.
Any time such certificates do manage to get out in the wild, they tend to get banned fairly quickly and generate bad press for the organizations involved.

Maarten_Sjouw · ‎2020-02-13

No Verisign or GoDaddy alike company will give you a Sub CA as that would mean you do not need them anymore to generate certificates.
Most often used Sub-CA is from a Microsoft Certificate server. All Windows machines that trust your AD will also trust that Certificate.

The Guest users still need to trust your AD - CA, or you need to bypass their traffic from HTTPS decryption, based on source network.

Regards, Maarten

HUNT_LEE · ‎2020-02-13

Hi all,

If i have a *.mycompany.com.au certificate issued by Digicert, can i use this certificate as wouldn't the public users trusted the cert issued by a CA like Digicert?

Cheers,

Hunt

PhoneBoy · ‎2020-02-13

The certificate used must be a Certificate Authority certificate capable of signing certificates.
What you have is a wildcard certificate, which cannot be used for outbound HTTPS Inspection.

Wolfgang · ‎2020-02-13

Hunt,

I very much apologize for misunderstanding my writing. Yes, the guys here are really right, you can't by such SUB-CA.

I have one customer they did this, but they are the owner of one of these Root-CAs.

As @PhoneBoy and @Maarten_Sjouw mentioned you have to follow their suggestions and implement your owned Sub-CA.

Wolfgang

Are you a member of CheckMates?

Any workaround for this