This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
HristoGrigorov
MVP Gold
MVP Gold
‎2020-03-05 10:17 PM

Inbound HTTPS Inpsection

Any of you guys managed to configure inbound HTTPS Inspection on R77.20?

I want to do it between two internal hosts and I seem to miserably fail to achieve it 😁

12 Replies
MarioB_1
Participant
‎2020-03-06 02:43 AM

Hi,

I am guessing, that you are asking for SMB appliances.

If the device is localy managed, than it is not supported. If it is centraly managed, than it is suppored.

More details you can find on bellow link.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Regards,

Mario

0 Kudos
TomTom
Participant
‎2020-03-06 05:38 AM

Update to R80.30!

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-06 08:01 AM
In response to TomTom

The SMB appliances have a slightly different code base.
These cannot be upgraded to R80.30.
0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2020-03-06 08:05 AM
In response to PhoneBoy

Thanx for your comments guys. I forgot to mention I am asking about centrally managed 1470 appliance. I know it is supported, I just want someone that actually did it and can confirm it works.

0 Kudos
Pedro_Espindola
Employee
Employee
‎2020-03-06 09:17 AM

It works fine from external hosts to internal.

I had many issues with internal to internal inspection. It seems besides presenting the server certificate the gateway also tried to generated an outbound certificate, doing a double inspection or something like this.

HristoGrigorov
MVP Gold
MVP Gold
‎2020-03-06 09:23 AM
In response to Pedro_Espindola

Thanx Pedro, that confirms my observations. Unfortunately I have Nginx that serves few internal host so inspection before it is not possible.

0 Kudos
Pedro_Espindola
Employee
Employee
‎2020-03-06 09:33 AM
In response to HristoGrigorov

So traffic hits the NGINX server before going to the gateway for ssl inspection?
For that to work, I think the interface that connects to the NGINX would have to be configured as external.
0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2020-03-06 09:44 AM
In response to Pedro_Espindola

INTERNET --> CPFW --> NGINX --> WEB 1 .. N

Each WEB server has its own certificate.

0 Kudos
Pedro_Espindola
Employee
Employee
‎2020-03-10 12:28 PM
In response to HristoGrigorov

What about using wildcard certificates or multiple alternate names?

0 Kudos
HristoGrigorov
MVP Gold
MVP Gold
‎2020-03-10 09:23 PM
In response to Pedro_Espindola

Not an option unfortunately. And I am not sure it is supported on SMB.

0 Kudos
Pedro_Espindola
Employee
Employee
‎2020-03-11 07:49 AM
In response to HristoGrigorov

Then I guess you'll need to have NGINX in a separate network defined as EXTERNAL and do this:

INTERNET --> CPFW --> NGINX --> CPFW (SSL inspection) --> WEB 1 .. N

HristoGrigorov
MVP Gold
MVP Gold
‎2020-03-11 09:25 AM
In response to Pedro_Espindola

Yeah, that seems to be the only option for the time being. Thanx for giving that idea.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events