Its R80.30 with Take 76. 

Can you please brief to replace the existing certificate SHA1 and its in production now.

Wandering if Stage 6 has been done which requires to install the new SHA-256 Cert into the Trusted Root CA Folder on the Windows machines.

If reading write then have updated the Cert but the Machines not trusting the Certificates from the New Certificate which points to the new Cert not being Trusted.

The certificate .crt is already added in the Trusted Root Certificate.

If the new SHA-256 Cert is in the Trusted CA Root Folder then you will need to investigate on the Client Machines why they are not trusting the new Root CA even though added as a Trusted CA Root Certificate.

Created a different lab and tested and am getting the same error message. I think some configuration of installing the certificate is missing in the Dashboard. 

You are going to have to list out exactly step by step what done then as the SK seems to contain what to do when reading through,

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Shows a little more about having once opened an R80.x SmartDashboard for the HTTPS Inspection Policy but is once in there the same as on R77.x in the SK,

I would think that Check Point take it that you need to install the Policy afterwards for it to take affect as a given as is hammered into everyone that make a change and need to install Policy afterwards.

If haven't finished importing the SHA-256 Cert then would still be using the SHA-1 which presumbably you had working fine so wouldn't get any errors still.

So How have you exported the certificate and then distributed the Client Machines as if the Client PC not trusting the Certs then it looks as though either not in the Trusted Root CA store on the machine or hasn't imported to the machine properly for which looking more at the PC rather then Check Point.

After enabling PBR, HTTPS INSPECTION is not working to the interface where PBR is enabled.  Is there any limitation in HTTPS INSPECTION with PBR. Able to get the certificate and page takes too much time to load and  much often doesn't load. External Interface without PBR works fine perfectly.

I could see traffic flowing through both External Interface when HTTPS INSPECTION is enabled.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

The following features/blades are not supported with PBR:

• IPv6
• URL Filtering
• IPS
• Locally-generated traffic
• Security Servers
• Data Loss Prevention (DLP) blade
• VPN Domain Based
• VPN Route Based
• Anti-Spam blade
• Mail Transfer Agent (MTA) (relevant for Threat Emulation/Threat Extraction/Data Loss Prevention/Anti-Spam blades)
• ISP Redundancy
• The following applications (which use Check Point Active Streaming [CPAS]):
  
  • VoIP (H323, SIP, Skinny, etc.)
  • HTTPS Inspection
  • HTTP Header Spoofing
  • HTTP Proxy
  • IMAP in IPS

HTTPS Inspection listed there.   Cannot do HTTPS Inspection with PBR.  Pretty much all you can run on a Check Point with PBR enabled is the Firewall Blade.

Thank You so much for your reply.

I have seen this SK before but some of our customers are using HTTPS INSPECTION with PBR successfully in the same  version.

Even IPS and URLF was working fine over there. I could see PBR traffic with IPS Events in logs.

We had created a test Lab and tested,  and the test was a success.

What i had noticed in production environment is "PBR NAT IP is again coming as a source in next External interface with the same destination IP".

Is there anyway we can avoid the above situation mentioned in double quotes.

Hi,

Can you please conform sk100500 is relevant or not, as PBR works with HTTPS INPECTION for some environment and creating issues on others. Is the SK relevant.

Yes the SK article is VERY relevant as quite clearly says is NOT SUPPORTED.    That is not to be confused with DOES NOT WORK.

So you are running in an unsupported configuration when running HTTPS Inspection and configuring PBR.