This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Ewane_Junior
Participant
‎2018-01-23 01:49 AM

HTTPS inspection with trusted certificate

Hello Guys, I need your help regarding https.

We have a checkpoint deployment and want to enable https inspection but need a trusted certificate.

Please do advice on how/where to get this trusted certificates and types with details on how to make filtering sub https pages.

Thanks

Regards

8 Replies
Vladimir
Champion
Champion
‎2018-01-23 05:55 AM

Ewane,

In order to implement HTTPS inspection, you need to either use Root or sub-CA.

The easiest way to get this to work is to issue a self-signed certificate on your Check Point gateway and distribute it to PCs and servers in your organization via GPO, (or installed manually or scripted).

Alternatively, if you have an established PKI in your organization, you can create certificate in there and import it in Check Point gateways.

If you were thinking about using host certificate purchased from one of the vendors such as Comodo, GoDaddy, etc, this will not work.

I strongly suggest reading HTTPS Inspection FAQ and HTTPS inspection with 3rd party certificate shows browser error .

PhoneBoy
Admin
Admin
‎2018-01-26 10:38 PM
In response to Vladimir

If you were thinking about using host certificate purchased from one of the vendors such as Comodo, GoDaddy, etc, this will not work.

Using such sub-CA keys for HTTPS Inspection purposes is explicitly against the Terms of Service of public CAs.

Vladimir
Champion
Champion
‎2018-01-23 06:44 AM

You can watch this short video that illustrates the process using manual root CA certificate installation process:

https://youtu.be/hzpCxlLTge0

John_Curtiss
Explorer
‎2018-01-29 01:13 PM

I found that when using https inspection that if an sub-https page is called for certificate exchange - in the client hello SNI field that the exchange will fail as the firewall detects the first packet is not a syn.  The way I have bypassed this is downloading the "Application Control Signature Tool" from Checkpoint.  You build your own app from the contents of the SNI field as if it were a Checkpoint built app.  (Unfortunately you cannot add custom categories so I just use Government.)  In my https inspection policies I bypass Government.  It not perfect but it is allowing https inspection to run for all applications.  Of course I have to build an app any time something fails.

0 Kudos
Ewane_Junior
Participant
‎2018-02-02 12:38 AM
In response to John_Curtiss

Hello John,

It is possible to create a custom category and include all your self-signed build app instead of using Checkpoint already assigned category.

0 Kudos
John_Curtiss
Explorer
‎2018-02-02 08:35 AM
In response to Ewane_Junior

How?

0 Kudos
Ewane_Junior
Participant
‎2018-02-02 08:55 AM
In response to John_Curtiss

Go to the application tab

click on application/sites

click on new and select category

add a name and click finish

Now when you are creating your application use that category new.

John_Curtiss
Explorer
‎2018-02-02 09:15 AM
In response to Ewane_Junior

However, the custom categories do not appear in the list using the ACST.exe tool. Only Checkpoints standard categories. I am using ACST_v1.3.1.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events