Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
goh_wei_ming
Explorer

Https inspection for ips incoming traffic with thrid party CA

Hi All

 

I have a deployment of cloudguard on aws and the requirement is to perform HTTPs inspection on incoming IPS traffic.

There is a web server behind the cloudguard and using third party sign cert.

 

Here comes my question, in order to enable https inspection, we need to create/import an outbound cert. Should I just create an outbound cert and then import the third party ca for inbound traffic?

As the outbound cert we created will not be installed on the web server, will it be causing SSL error?

Or I can just import the third-party CA as outbound and inbound cert.

 

I remember I saw a sk regarding inbound https inspection, it mentions just create an outbound cert and then configures the policy in https inspection tab to any. Does it applied to my scenario as my deployment using third party cert.

 

Beside of that, how can we verify the https traffic being inspected and the IPS worked for the incoming traffic, as normally we have a aws waf to protect the perimeter.

 

 

 

 

 

0 Kudos
4 Replies
Wolfgang
Authority
Authority

You have to import your webserver certificate in the "server certificates" of https inspection pane in SmartDashboard.

Have a look at

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

and in the documentation

http://dl3.checkpoint.com/paid/74/744abff1d8aebf926a15824e26a6fd7b/CP_R80.20_GA_ThreatPrevention_Adm...

In part "Using Threat Prevention with HTTPS Traffic" you'll find a very good explanation how to configure for inbound HTTPS inspection.

 

goh_wei_ming
Explorer

Hi Wolfgang

 

Yea thanks for the guide, but how about the outbound? We can still import the same cert or just create a dummy cert since we are not using it? If we create a dummy cert but not installed on web server, will it encounter ssl error?

 

Beside of that, how can we verify it had been inspected by https inspection, we knew it will be inspected but customer request us to show them in logs.

0 Kudos
PhoneBoy
Admin
Admin

For outbound traffic, you need a Certificate Authority key capable of generating certificates on the fly. We generate one for you if you don’t provide one, which should be safe in this case.
0 Kudos
Wolfgang
Authority
Authority

As Dameon mentioned, you have to install an Sub-CA for generating new certificates for outbound HTTPS-connections.

Your clients have to trust these Sub-CA to avoid browser warnings. But you don't need this if you only want todo the HTTPS-inspection for incoming to your webserver.

If you define a filter like " blade:"HTTPS Inspection" " you get the logs:

https-inspection.PNG

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events