This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
superd
Contributor
‎2022-05-05 11:37 AM

Checkpoint URLF Block Page Certificate

Hi,

I have enabled Checkpoint URLF with HTTPS Inspection enabled. All is working fine, except I am getting cert trust issues with the block page. (R80.40)

Can anyone advise how I export this block page cert so I can trust it in users browsers? Or if there is some other guidance?

Also, is enabling UserCheck required in order to serve the block page, or is that something different? I have that enabled.

Thanks.

D

0 Kudos
8 Replies
Wolfgang
MVP Gold
MVP Gold
‎2022-05-05 12:57 PM

You can import  a certificate enrolled from your internal CA to the usercheck page of the gateway properties. Your clients should trust these CA. If you‘re using the default certificate, your clients have to trust your internal Check Point CA of the managementserver. You can export the public certificate from the managementserver.

superd
Contributor
‎2022-05-06 01:01 AM
In response to Wolfgang

Thanks Wolfgang, is there a simple way to export this certificate from the SMS GUI?

0 Kudos
Sorin_Gogean
Advisor
‎2022-05-05 10:24 PM

In addition to what Wolfgang state .... from my notes

 

We require an SSL certificate on the GW's as the page presented with the BLOCK message, is HTTPS and is using the Platform Portal (as it seems) .

 

They say to follow :https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

But it’s better to follow :https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

(as I've use it previously )

superd
Contributor
‎2022-05-06 01:02 AM
In response to Sorin_Gogean

Cheers Sorin, seems a bit confaluted. Id like to just extract whatever cert is being currently served for block page. 

0 Kudos
Sorin_Gogean
Advisor
‎2022-05-06 02:24 AM
In response to superd

Now I got it, your certificate error is shown to the end-user when he is redirected to the Block page - that is served by the GW Custer .

You can generate a certificate (signed by the same CA that you used to delegate HTTPS Inspection) and import it into the UserCheck .

Preview file
10 KB
0 Kudos
superd
Contributor
‎2022-05-06 02:54 AM
In response to Sorin_Gogean

Yes Sorin, serving of blockpage shows connection error, or client not trusting the cert.

So, for clarification, I must generate a self signed cert to avoid errors? Is there definitely no way to export whatever cert Checkpoint is providing by default?  - I find this surprising.

0 Kudos
Sorin_Gogean
Advisor
‎2022-05-06 04:11 AM
In response to superd

For sure you can export it, is the same you get when accessing the UserCheck portal It's not an on-the-fly generated one.

After that you will need to et it on all the clients in trusted certs, therefore my recommendation is to look for a centralized CA/certificate solution, then you just need to trust the Root CA and all the rest will follow.

0 Kudos
superd
Contributor
‎2022-05-06 01:07 AM

Could I extrapolate from the below message that one must use a self signed cert to avoid errors i.e. the auto-generated cert is not extractable?

Screenshot 2022-05-06 at 09.03.49.png

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events