Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 

Inbound HTTPS Inspection - Custom client certificate required

Jump to solution

Hi Everyone!

We have a use case where we need to deploy inbound HTTPS Inspection to a specific web service that uses a non standard port.

Gateways and management are both running R80.40.

Initially we are seeing a Bypass with the following error "Internal system error in HTTPS Inspection (Error Code: 2)"

One of the possible causes is that the root certificate is not trusted, however the customer is using the same cert in other inbound inspection rules without issues.

While troubleshooting we found that the backend application requires the client to send a specific certificate.
Since we are doing a Man-in-the-middle (MITM) for inspection it's obvious that the connection between the Gateway and the server will have the Check Point self signed certificate, not the one required by the application.

SSl.png

I know that this use case can be solved with an ADC such as F5, Netscaler, A10.

Questions:

- Can we do it with Check Point? I didn't find a proper way of using specific client certificates (Not server certs) for specific connections within the admin guides or SKs.

- Can "Internal system error in HTTPS Inspection (Error Code: 2)" be related to this issue? An HTTPS debug is not possible for the moment due to maintenance window requirements.

Thanks!

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Reply
1 Solution

Accepted Solutions
Admin
Admin

AFAIK, we do not have such functionality available. Try raising and RFE with your local Check Point team. Meanwhile, you will have to create a bypass rule for this application to work

View solution in original post

2 Replies
Admin
Admin

AFAIK, we do not have such functionality available. Try raising and RFE with your local Check Point team. Meanwhile, you will have to create a bypass rule for this application to work

View solution in original post

Valeri,

Thanks for the quick response! Just wanted to be sure of my assumptions.

It would be nice feature however it's not the job of a NGFW 🙂

Will work on the RFE with my local SE.

Thanks!

Federico

 

 

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
Reply