Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Nickel

HTTPS INSPECTION SHA1 to SHA256

Hi

Found the Checkpoint HTTPS INSPECTION cert is SHA1 and as it is outdated should move forward to SHA256. Followed the sk115894 but when accessing,  the browser is not trusting the certificate. Kindly help on resolving this issue.

13 Replies
Highlighted
Admin
Admin

You can replace the certificate, you know?
What software release?
0 Kudos
Nickel

Its R80.30 with Take 76. 

Can you please brief to replace the existing certificate SHA1 and its in production now.

0 Kudos
Highlighted
Silver

Wandering if Stage 6 has been done which requires to install the new SHA-256 Cert into the Trusted Root CA Folder on the Windows machines.

If reading write then have updated the Cert but the Machines not trusting the Certificates from the New Certificate which points to the new Cert not being Trusted.

0 Kudos
Highlighted
Nickel

The certificate .crt is already added in the Trusted Root Certificate.

0 Kudos
Highlighted
Silver

If the new SHA-256 Cert is in the Trusted CA Root Folder then you will need to investigate on the Client Machines why they are not trusting the new Root CA even though added as a Trusted CA Root Certificate.

0 Kudos
Highlighted
Nickel

Created a different lab and tested and am getting the same error message. I think some configuration of installing the certificate is missing in the Dashboard. 

 

0 Kudos
Highlighted
Silver

You are going to have to list out exactly step by step what done then as the SK seems to contain what to do when reading through,

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Shows a little more about having once opened an R80.x SmartDashboard for the HTTPS Inspection Policy but is once in there the same as on R77.x in the SK,

I would think that Check Point take it that you need to install the Policy afterwards for it to take affect as a given as is hammered into everyone that make a change and need to install Policy afterwards.

If haven't finished importing the SHA-256 Cert then would still be using the SHA-1 which presumbably you had working fine so wouldn't get any errors still.

So How have you exported the certificate and then distributed the Client Machines as if the Client PC not trusting the Certs then it looks as though either not in the Trusted Root CA store on the machine or hasn't imported to the machine properly for which looking more at the PC rather then Check Point.

Highlighted
Nickel

After enabling PBR, HTTPS INSPECTION is not working to the interface where PBR is enabled.  Is there any limitation in HTTPS INSPECTION with PBR. Able to get the certificate and page takes too much time to load and  much often doesn't load. External Interface without PBR works fine perfectly.

I could see traffic flowing through both External Interface when HTTPS INSPECTION is enabled.

 

0 Kudos
Highlighted
Silver

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The following features/blades are not supported with PBR:

  • IPv6
  • URL Filtering
  • IPS
  • Locally-generated traffic
  • Security Servers
  • Data Loss Prevention (DLP) blade
  • VPN Domain Based
  • VPN Route Based
  • Anti-Spam blade
  • Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
  • ISP Redundancy
  • The following applications (which use Check Point Active Streaming [CPAS]):
    • VoIP (H323, SIP, Skinny, etc.)
    • HTTPS Inspection
    • HTTP Header Spoofing
    • HTTP Proxy
    • IMAP in IPS

 

HTTPS Inspection listed there.   Cannot do HTTPS Inspection with PBR.  Pretty much all you can run on a Check Point with PBR enabled is the Firewall Blade.

0 Kudos
Highlighted
Nickel

Thank You so much for your reply.

 

I have seen this SK before but some of our customers are using HTTPS INSPECTION with PBR successfully in the same  version.

Even IPS and URLF was working fine over there. I could see PBR traffic with IPS Events in logs.

We had created a test Lab and tested,  and the test was a success.

What i had noticed in production environment is "PBR NAT IP is again coming as a source in next External interface with the same destination IP".

Is there anyway we can avoid the above situation mentioned in double quotes.

0 Kudos
Highlighted
Nickel

Hi,

Can you please conform sk100500 is relevant or not, as PBR works with HTTPS INPECTION for some environment and creating issues on others. Is the SK relevant.

 

0 Kudos
Highlighted
Silver

Yes the SK article is VERY relevant as quite clearly says is NOT SUPPORTED.    That is not to be confused with DOES NOT WORK.

 

So you are running in an unsupported configuration when running HTTPS Inspection and configuring PBR.  

 

0 Kudos