- CheckMates
- :
- Products
- :
- General Topics
- :
- Re: HTTPS inspection with trusted certificate
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HTTPS inspection with trusted certificate
Hello Guys, I need your help regarding https.
We have a checkpoint deployment and want to enable https inspection but need a trusted certificate.
Please do advice on how/where to get this trusted certificates and types with details on how to make filtering sub https pages.
Thanks
Regards
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Ewane,
In order to implement HTTPS inspection, you need to either use Root or sub-CA.
The easiest way to get this to work is to issue a self-signed certificate on your Check Point gateway and distribute it to PCs and servers in your organization via GPO, (or installed manually or scripted).
Alternatively, if you have an established PKI in your organization, you can create certificate in there and import it in Check Point gateways.
If you were thinking about using host certificate purchased from one of the vendors such as Comodo, GoDaddy, etc, this will not work.
I strongly suggest reading HTTPS Inspection FAQ and HTTPS inspection with 3rd party certificate shows browser error .
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you were thinking about using host certificate purchased from one of the vendors such as Comodo, GoDaddy, etc, this will not work.
Using such sub-CA keys for HTTPS Inspection purposes is explicitly against the Terms of Service of public CAs.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
You can watch this short video that illustrates the process using manual root CA certificate installation process:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I found that when using https inspection that if an sub-https page is called for certificate exchange - in the client hello SNI field that the exchange will fail as the firewall detects the first packet is not a syn. The way I have bypassed this is downloading the "Application Control Signature Tool" from Checkpoint. You build your own app from the contents of the SNI field as if it were a Checkpoint built app. (Unfortunately you cannot add custom categories so I just use Government.) In my https inspection policies I bypass Government. It not perfect but it is allowing https inspection to run for all applications. Of course I have to build an app any time something fails.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello John,
It is possible to create a custom category and include all your self-signed build app instead of using Checkpoint already assigned category.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Go to the application tab
click on application/sites
click on new and select category
add a name and click finish
Now when you are creating your application use that category new.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
However, the custom categories do not appear in the list using the ACST.exe tool. Only Checkpoints standard categories. I am using ACST_v1.3.1.
