This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
IsaacO
Participant
‎2023-05-25 04:03 PM
Jump to solution

HTTPS Inspection Action:Error

Hello, I would like to know if anyone here has been presented with this error?

Reviewing logs I have this error towards a specific destination, but what seems strange to me that this error appears depends on the Source because with some other sources the error does not appear towards the destination that presents the problem.

As additional information, both the source and destination segments have bypass rules in HTTPS INSPECTION.

Thanks a lot for the help.

............................................................................................................................................................................

Id Generated By Indexer:    false
First:    true
Sequencenum:    205
HTTPS Validation:    The probe detected that this destination cannot be inspected and its identity cannot be verified due to a TLS alert (TLS alert: bad_certificate)
Description:    Bypassing request as configured in engine settings of HTTPS Inspection
Source:    x.x.x.x
Source Port:    60374
Destination:    x.x.x.x
Destination Port:    443
IP Protocol:    TCP (6)
Action:    Bypass
Type:    Log
Policy Name:   YYYY
Policy Management:    YYYY
Policy Date:    23 may
Blade:    HTTPS Inspection
Origin:    XXXX
Service:    https (TCP/443)
Product Family:    Network
HTTPS Inspection Action:    Error

Labels
0 Kudos
1 Solution

Accepted Solutions
IsaacO
Participant
‎2023-05-29 04:33 PM
In response to the_rock
Jump to solution

Hi @the_rock @_Val_  

Thanks a lot for your support.

The problem that we had specifically was with some servers with Workload Security agents that were not synchronizing with the cloud. One of our team had created a rule in the FW but at the destination it had only one IP that was the one that gave us the HTTPS Inspection error.
Reading the Trend Micro documentation, you have to add some domains (130) the Security, APCL and HTTPS INSPECTION rules were created with said group of Trend Micro domains and Problem solved.

https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/#Deep3

By the way, although the problem is solved I have to update the certificate database so I will follow your recommendation @the_rock 

Regards!!

View solution in original post

13 Replies
_Val_
Admin
Admin
‎2023-05-25 10:58 PM
Jump to solution

The error states that the GW cannot validate the server certificate. If it only happens to some of the connections to the same server and not all, look if you have any intermittent connectivity failures on that GW. Also, it might be that the destination IP hosts multiple web servers, some of them with bad certificates. 

(1)
IsaacO
Participant
‎2023-05-26 09:01 AM
In response to _Val_
Jump to solution

Thanks for answering _Val_.

Do you think that updating the certificate database can help?

Regards

sk64521

 

the_rock
Legend
Legend
‎2023-05-26 10:08 AM
In response to IsaacO
Jump to solution

100% that can only help, not make it worse. So, make sure below is enabled as per my screenshots and if you need zip file, happy to send it over. Just a small disclaimer, though couple of people on here used it and was fine, dont "shoot" the messenger if something goes sideways lol

Andy

 

 

 

Screenshot_1.png

 

 

Screenshot_2.png

0 Kudos
(1)
the_rock
Legend
Legend
‎2023-05-26 10:41 AM
In response to IsaacO
Jump to solution

In case you need latest updated zip file, I attached it. Again, its totally your decision if you wish to use it, but I can guarantee its totally clean and working.

Andy

 

 

Screenshot_1.png

updateFile.zip
0 Kudos
(1)
IsaacO
Participant
‎2023-05-26 10:47 AM
In response to the_rock
Jump to solution

Thanks a lot for the help Andy.
I really appreciate it.

Regards

Carlos Isaac!

0 Kudos
the_rock
Legend
Legend
‎2023-05-26 10:51 AM
In response to IsaacO
Jump to solution

Any time, happy to help. Let us know if any issues, I have working R81.20 lab with windows 10 and https inspection on, so can test anything needed.

Cheers,

CheckpointClappingGIF.gif

 Andy

0 Kudos
(1)
_Val_
Admin
Admin
‎2023-05-26 12:02 PM
In response to IsaacO
Jump to solution

It might, but we need to figure out first, what we are dealing with. If it is an intermittent issue for the same server, connectivity is the prime suspect. 

(1)
the_rock
Legend
Legend
‎2023-05-26 01:05 PM
In response to IsaacO
Jump to solution

@_Val_ makes a good point Isaac. It really depends if its intermittent issue or not. I mean, you can certainly update certificate list, its not going to make it worse, but there is no guarantee it would make it better either.

Andy

0 Kudos
(1)
IsaacO
Participant
‎2023-05-29 04:33 PM
In response to the_rock
Jump to solution

Hi @the_rock @_Val_  

Thanks a lot for your support.

The problem that we had specifically was with some servers with Workload Security agents that were not synchronizing with the cloud. One of our team had created a rule in the FW but at the destination it had only one IP that was the one that gave us the HTTPS Inspection error.
Reading the Trend Micro documentation, you have to add some domains (130) the Security, APCL and HTTPS INSPECTION rules were created with said group of Trend Micro domains and Problem solved.

https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/#Deep3

By the way, although the problem is solved I have to update the certificate database so I will follow your recommendation @the_rock 

Regards!!

the_rock
Legend
Legend
‎2023-05-29 04:42 PM
In response to IsaacO
Jump to solution

Sounds good...keep us posted.

Andy

0 Kudos
(1)
the_rock
Legend
Legend
‎2023-05-29 05:04 PM
In response to IsaacO
Jump to solution

Hey mate,

I wanted to tell you something else, just my own experience, as well as one customer I worked with for https inspection. So, when I tested this in the lab (R80.40, R81.10 and R81.20), I would simply install https inspection cert generated (follow on screen prompt) and it would work without any issues. Customer first tested it on one machine and had problem, so he reinstalled the cert and placed it in trusted root and worked fine. Then they tried few machines and some worked okay, some did not, following exact same process.

They had Trend Micro before going with CP, told me they never had this sort of problem, but turns out after they upgraded their environment to R81.10, all just worked fine. So, I would say if you have cert in trusted root, thats 100% correct.

Cheers,

Andy

0 Kudos
(1)
IsaacO
Participant
‎2023-05-29 05:43 PM
In response to the_rock
Jump to solution

It is an interesting fact, to comment that the environment we have is R80.40 and we plan to update it to R81.10.
So I hope that by updating the Certificates and upgrading to R81.10 there will be no more problems in the future.

Regards
Isaac.

the_rock
Legend
Legend
‎2023-05-29 05:45 PM
In response to IsaacO
Jump to solution

Im sure it would be better.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events