Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted

Inbound HTTPS Inpsection

Any of you guys managed to configure inbound HTTPS Inspection on R77.20?

I want to do it between two internal hosts and I seem to miserably fail to achieve it 😁

12 Replies
Highlighted
Iron

Hi,

I am guessing, that you are asking for SMB appliances.

If the device is localy managed, than it is not supported. If it is centraly managed, than it is suppored.

More details you can find on bellow link.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Regards,

Mario

0 Kudos
Highlighted
Iron

Update to R80.30!

0 Kudos
Highlighted
Admin
Admin

The SMB appliances have a slightly different code base.
These cannot be upgraded to R80.30.
0 Kudos
Highlighted

Thanx for your comments guys. I forgot to mention I am asking about centrally managed 1470 appliance. I know it is supported, I just want someone that actually did it and can confirm it works.

0 Kudos
Highlighted

It works fine from external hosts to internal.

I had many issues with internal to internal inspection. It seems besides presenting the server certificate the gateway also tried to generated an outbound certificate, doing a double inspection or something like this.

Thanx Pedro, that confirms my observations. Unfortunately I have Nginx that serves few internal host so inspection before it is not possible.

0 Kudos
Highlighted

So traffic hits the NGINX server before going to the gateway for ssl inspection?
For that to work, I think the interface that connects to the NGINX would have to be configured as external.
0 Kudos
Highlighted

INTERNET --> CPFW --> NGINX --> WEB 1 .. N

Each WEB server has its own certificate.

0 Kudos
Highlighted

What about using wildcard certificates or multiple alternate names?

0 Kudos
Highlighted

Not an option unfortunately. And I am not sure it is supported on SMB.

0 Kudos
Highlighted

Then I guess you'll need to have NGINX in a separate network defined as EXTERNAL and do this:

INTERNET --> CPFW --> NGINX --> CPFW (SSL inspection) --> WEB 1 .. N

Highlighted

Yeah, that seems to be the only option for the time being. Thanx for giving that idea.

0 Kudos