Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Ewane_Junior
Participant

HTTPS inspection with trusted certificate

Hello Guys, I need your help regarding https.

We have a checkpoint deployment and want to enable https inspection but need a trusted certificate.

Please do advice on how/where to get this trusted certificates and types with details on how to make filtering sub https pages.

Thanks

Regards

8 Replies
Vladimir
Champion
Champion

Ewane,

In order to implement HTTPS inspection, you need to either use Root or sub-CA.

The easiest way to get this to work is to issue a self-signed certificate on your Check Point gateway and distribute it to PCs and servers in your organization via GPO, (or installed manually or scripted).

Alternatively, if you have an established PKI in your organization, you can create certificate in there and import it in Check Point gateways.

If you were thinking about using host certificate purchased from one of the vendors such as Comodo, GoDaddy, etc, this will not work.

I strongly suggest reading HTTPS Inspection FAQ and HTTPS inspection with 3rd party certificate shows browser error .

PhoneBoy
Admin
Admin

If you were thinking about using host certificate purchased from one of the vendors such as Comodo, GoDaddy, etc, this will not work.

Using such sub-CA keys for HTTPS Inspection purposes is explicitly against the Terms of Service of public CAs.

Vladimir
Champion
Champion

You can watch this short video that illustrates the process using manual root CA certificate installation process:

https://youtu.be/hzpCxlLTge0

John_Curtiss
Explorer

I found that when using https inspection that if an sub-https page is called for certificate exchange - in the client hello SNI field that the exchange will fail as the firewall detects the first packet is not a syn.  The way I have bypassed this is downloading the "Application Control Signature Tool" from Checkpoint.  You build your own app from the contents of the SNI field as if it were a Checkpoint built app.  (Unfortunately you cannot add custom categories so I just use Government.)  In my https inspection policies I bypass Government.  It not perfect but it is allowing https inspection to run for all applications.  Of course I have to build an app any time something fails.

0 Kudos
Reply
Ewane_Junior
Participant

Hello John,

It is possible to create a custom category and include all your self-signed build app instead of using Checkpoint already assigned category.

0 Kudos
Reply
John_Curtiss
Explorer

How?

0 Kudos
Reply
Ewane_Junior
Participant

Go to the application tab

click on application/sites

click on new and select category

add a name and click finish

Now when you are creating your application use that category new.

John_Curtiss
Explorer

However, the custom categories do not appear in the list using the ACST.exe tool. Only Checkpoints standard categories. I am using ACST_v1.3.1.

0 Kudos
Reply