This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
genisis__
Leader Leader
Leader
‎2021-02-03 01:31 PM

Checkpoint updates through third-party proxy that does SSL inspection

Hi,

I'm attempting to get Checkpoint updates working through a Proxy (Fortigate) which does SSL inspection.  At present the updates are not working and I believe this is because of the certificate being presented back to SMS is the Fortigate one (Man-In-Middle).

I believe when Checkpoint Updates are flowing through a SSL inspection device the updates fail so there must be a logical solution to this.  I'm suspecting add a cert to the ca-bundle.crt file may be required, but that is a guess and clearly may not be a supported method.

I could add a bypass on the Fortigate but our policy required SSL inspection to be done.

I've raised a TAC case as well.

0 Kudos
2 Replies
PhoneBoy
Admin
Admin
‎2021-02-03 02:12 PM

I wouldn’t be surprised if we employ certificate pinning here, in which case the only option is a bypass rule.

0 Kudos
genisis__
Leader Leader
Leader
‎2021-02-04 01:01 AM
In response to PhoneBoy

That would make sense, lets see what TAC come back with.  I did find sk112214 which does mention certificate pinning, but Checkpoint is not listed.

After conducting a packet capture I found that the Fortigate was presenting its certificate to the Checkpoint, so basically we need to import the cert into the trust store on the Checkpoint device,  similar to adding a certificate from a Checkpoint GW doing SSL inspection to the trust store of a browser.

I was also thinking about adding the GlobalSign Root/Intermitted CA certs (The *.checkpoint.com wildcard cert is signed by them) into the Fortigate, but without a private key this would not work., not sure if it possible to export this info from the SMS.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events