This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Yevgeniy_Yeryom
Contributor
‎2018-10-04 08:47 AM

HTTPS incoming inspection with static NAT

Hello experts, 

Do you know if there are some limitation in terms of using #HTTPS incoming inspection with static NAT#?

Does some special configuration required when configuring  HTTPS incoming inspection with static NAT?

 

In my LAB as you can see in the logs below:

- incoming inspection without NAT to 10.1.11.3 is inspected,

- incoming inspection with NAT to 10.1.2.10 is NOT inspected.

 

I tried it with static and automatic NAT and became the same result.

 

By the way:

There is an SK on that about automatic NAT problem stating that a HF might be required.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Is a hot fix required?

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2018-10-04 11:03 AM

Did you make the policy changes mentioned in the SK?

If you do that he hotfix should not be required.

0 Kudos
Yevgeniy_Yeryom
Contributor
‎2018-10-05 12:38 AM

Hi,

yes I did. 
As shown in the screenshot, the source IP and destination IP (NAT IP representing the server) are in the same subnet. 

I changed the destination IP to an IP from a different subnet and the HTTPS inspection started to work. Smiley Happy 

To put together, the incoming HTTPS inspection seems to NOT work for the source and destination from the same subnet. I think this is fine for usual use cases. 

0 Kudos
PhoneBoy
Admin
Admin
‎2018-10-05 07:58 AM
In response to Yevgeniy_Yeryom

I'm not familiar with a limitation relating to HTTPS Inspection being not possible in the same subnet.

Clearly, it's possible.

It may be worth a TAC case, particularly if it's a customer situation.

0 Kudos
Yevgeniy_Yeryom
Contributor
‎2018-10-08 06:55 AM
In response to PhoneBoy

Actually it was a test for customer, but customer will use NOT have the clients and firewall in the same subnet. 

So, this behavior is ok for the project. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events