This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Matlu
Advisor
‎2024-01-16 01:50 PM

Connection Flow.

Hello,

I have a question.
I have a FW in version R81.10 with JHF Take 110.

In my LAN I have a Mail Server (On Premise) published to the Internet.

The Server Certificate has been updated.

When the users from the LAN try to access the Mail Server, everything flows fine (they don't get the alert in the browser that "The connection is not secure".

On the other hand, when we try to access from the Internet to the mail server, pointing to the domain, the result is that "THE CONNECTION IS NOT SECURE".

In this kind of scenarios, it is necessary and mandatory, to "import" the certificate in the Firewall, from the SmartDashboard Legacy, referring to the HTTPS Inspection?

CA1.png

Greetings.

0 Kudos
8 Replies
Lesley
Advisor
‎2024-01-16 02:09 PM

Sounds like public dns record issue. Do nslookup of the domain the output should match the public ip that you use on the firewall for this server. If dns record ip does not match you get warning 

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
Matlu
Advisor
‎2024-01-16 02:24 PM
In response to Lesley

Hello,

In my case, it does match.

CA2.png

When from the Internet, I do a NSLOOKUP to the domain, if I resolve the Public IP that has been designated in the Firewall, for the connection to the mail server.

Is it necessary to import the certificate of the mail server, to the Firewall, to avoid these "alerts" from the Internet connections?

Greetings.

0 Kudos
the_rock
Legend
Legend
‎2024-01-16 06:22 PM
In response to Matlu

Hey bro, cert is only needed if you are doing INBOUND https inspection, otherwise, no need to import it into smart console. Same as if you were doing outbound ssl inspection, cert has to be uploaded to users, so those warnings dont show up.

Andy

0 Kudos
the_rock
Legend
Legend
‎2024-01-16 05:09 PM

Ola bro,

Happy New Year : - )

I dont think importing that cert has anything to do with it, that simply related to inbound https inspection.

What @Lesley said makes sense to me as well.

Andy

0 Kudos
Matlu
Advisor
‎2024-01-16 06:33 PM
In response to the_rock

Buddy,

This type of scenario is when the FIREWALL acts as a "WAF", isn't it?

Most of my client's rules only had rules based on "OUTBOUND" traffic

They have HTTPS Inspection enabled, but only for LAN -> WAN traffic, not the other way around.

The problem that I get in the browser, the message "The connection is not secure" from the Internet, when I try to access the published mail server, it would be an issue to check with the DNS provider of the client, right?

Cheers. 🙂

0 Kudos
the_rock
Legend
Legend
‎2024-01-16 07:06 PM
In response to Matlu

I got ya. You can try that, wont make it worse, see if it makes any difference.

Andy

0 Kudos
Matlu
Advisor
‎2024-01-17 04:22 AM
In response to the_rock

I have done some research.

Apparently it's a "registration" problem at the "DNS service" level.

I understand that to prevent Internet users from getting the certificate error "The connection is not secure", you have to publish the domain in a MX record of my DNS service ... at least something like that is what I have understood.

Does this make sense?

 

0 Kudos
the_rock
Legend
Legend
‎2024-01-17 04:27 AM
In response to Matlu

100% makes sense

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events