This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HUNT_LEE
Participant
‎2020-02-11 08:07 PM

Any workaround for this

Currently our Guestnet (for Wifi) cannot stops people from accessing “naughty” HTTPS websites because the checkpoint can’t decrypt the outbound HTTPS traffic from non-corporate devices.

Is there any way to get around this problem? As manually forcing guest users to install our Checkpoint certificate is not feasible / not enforceable, what other options do we have? (reading my mind out aloud, if we upgrade our GWs to R80.20, will SNI fix / bypass this issue so the URL inspection / categorization can be used?)

Cheers,

Hunt

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2020-02-11 08:13 PM

Either upgrade to R80.20 with the recent JHF that has the SNI fix or use R80.30+ which also includes it.
Tal_Paz-Fridman
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2020-02-11 11:07 PM

Adding to what PhoneBoy wrote you can also refer to sk163594 - What's new in HTTPS Inspection starting from R80.20:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

"Starting in R80.20 and R80.30 latest Jumbo Hotfix Accumulators, HTTPS Inspection offers important new features in the domains of security and usability

To take advantage of these new capabilities, upgrade to R80.20 Jumbo Hotfix Accumulator Take 118 (and higher), or R80.30 Jumbo Hotfix Accumulator Take 111 (and higher)."

 

 

 

Wolfgang
MVP Gold
MVP Gold
‎2020-02-11 11:14 PM

Hunt_Lee,

you're right, as @PhoneBoy mentioned SNI with URL-Filter is your solution without HTTPS-inspection.

Don't forget to enable "categorize HTTPS websites"

APPCL_HTTPS.png

Wolfgang

HUNT_LEE
Participant
‎2020-02-12 09:15 PM
In response to Wolfgang

Hi all,

If i install a public CA certificate (e.g. Verisign, GoDaddy) onto my CheckPoint, and change all the outbound rules to used this new certificate for outbound traffic.

Would then my guest users traffic be able to be inspected by CheckPoint? Or would they still need to install this CA certificate manually by themselves (which is not enforceable).

Cheers,

Hunt

0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2020-02-12 10:27 PM
In response to HUNT_LEE

Yes, that's possible. If you use an SUB-CA issued from a root CA which is trusted by your client devices everything would be fine.

Any certificate issued from a trusted CA or trusted sub CA will be trusted on you clients. All depends on the trusted root CAs on your clients. You can use the defaults from Windows, Linux, MACs, Android, IOS etc. already installed on your clients or you can install your own. But with your own you have to touch these devices.

Wolfgang.

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-13 11:41 AM
In response to HUNT_LEE

No globally trusted Certificate Authority would issue you a sub-CA for this purpose.
Any time such certificates do manage to get out in the wild, they tend to get banned fairly quickly and generate bad press for the organizations involved.
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2020-02-13 02:09 PM
In response to PhoneBoy

No Verisign or GoDaddy alike company will give you a Sub CA as that would mean you do not need them anymore to generate certificates.
Most often used Sub-CA is from a Microsoft Certificate server. All Windows machines that trust your AD will also trust that Certificate.

The Guest users still need to trust your AD - CA, or you need to bypass their traffic from HTTPS decryption, based on source network.
Regards, Maarten
0 Kudos
HUNT_LEE
Participant
‎2020-02-13 02:55 PM
In response to Maarten_Sjouw

Hi all,

If i have a *.mycompany.com.au certificate issued by Digicert, can i use this certificate as wouldn't the public users trusted the cert issued by a CA like Digicert?

Cheers,

Hunt

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-13 03:52 PM
In response to HUNT_LEE

The certificate used must be a Certificate Authority certificate capable of signing certificates.
What you have is a wildcard certificate, which cannot be used for outbound HTTPS Inspection.
0 Kudos
Wolfgang
MVP Gold
MVP Gold
‎2020-02-13 11:10 PM
In response to HUNT_LEE

Hunt,

I very much apologize for misunderstanding my writing. Yes, the guys here are really right, you can't by such SUB-CA.

I have one customer they did this, but they are the owner of one of these Root-CAs. 

As @PhoneBoy and @Maarten_Sjouw mentioned you have to follow their suggestions and implement your owned Sub-CA.

Wolfgang

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events