Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
genisis__
Advisor

Checkpoint updates through third-party proxy that does SSL inspection

Hi,

I'm attempting to get Checkpoint updates working through a Proxy (Fortigate) which does SSL inspection.  At present the updates are not working and I believe this is because of the certificate being presented back to SMS is the Fortigate one (Man-In-Middle).

I believe when Checkpoint Updates are flowing through a SSL inspection device the updates fail so there must be a logical solution to this.  I'm suspecting add a cert to the ca-bundle.crt file may be required, but that is a guess and clearly may not be a supported method.

I could add a bypass on the Fortigate but our policy required SSL inspection to be done.

I've raised a TAC case as well.

0 Kudos
2 Replies
PhoneBoy
Admin
Admin

I wouldn’t be surprised if we employ certificate pinning here, in which case the only option is a bypass rule.

0 Kudos
genisis__
Advisor

That would make sense, lets see what TAC come back with.  I did find sk112214 which does mention certificate pinning, but Checkpoint is not listed.

After conducting a packet capture I found that the Fortigate was presenting its certificate to the Checkpoint, so basically we need to import the cert into the trust store on the Checkpoint device,  similar to adding a certificate from a Checkpoint GW doing SSL inspection to the trust store of a browser.

I was also thinking about adding the GlobalSign Root/Intermitted CA certs (The *.checkpoint.com wildcard cert is signed by them) into the Fortigate, but without a private key this would not work., not sure if it possible to export this info from the SMS.

 

0 Kudos