This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
jennyado
Collaborator
‎2024-07-17 04:44 PM
Jump to solution

HTTPS Inspection & certificates

I have a issue with certificates

From the security gateway I export the certificate that was created from it. Then I active the HTTPS Inspection checkbox and finally a install the certificate to level host. 

When I try to access to Microsoft services and some internal services, I get the next message:FirefoxError.png

The certificate that shows the broswer when I enable HTTPS Inspection:

Certificate.png
Also I saw some logs with the message that the certificate chain is not signed by a trusted CA.

log.png

0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Gold
MVP Gold
‎2024-07-18 04:34 PM
In response to jennyado
Jump to solution

For that, you can bypass it using custom app site group in https policy with bypass rule. Or, before that, examine the logs and see why its failing. If it shows inspect log, theres your answer.

Andy

View solution in original post

15 Replies
the_rock
MVP Gold
MVP Gold
‎2024-07-17 04:49 PM
Jump to solution

Hey @jennyado 

I made a post about this recently. I actually have 2 perfectly working ssl inspection labs, so if you are free tomorrow, we can do remote and check, Im in EST time zone (GMT-5). Btw, have a look and see if it helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-lab-guide/m-p/214429#M40929

PhoneBoy
Admin
Admin
‎2024-07-18 09:17 AM
Jump to solution

Please show the CA key you exported from management in the Certificate Store of your client system with the various trust settings.

0 Kudos
jennyado
Collaborator
‎2024-07-18 03:43 PM
In response to PhoneBoy
Jump to solution

 

This is the certificate that we installed in the host which was exported from the SMS

 

d1.png

d2.png

d4.png

d3.png

     

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-07-18 03:53 PM
In response to jennyado
Jump to solution

See if additional post I made about this helps.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-tip/m-p/219139

0 Kudos
PhoneBoy
Admin
Admin
‎2024-07-18 04:32 PM
In response to jennyado
Jump to solution

The certificate needs to be explicitly imported into the Trusted Root Certification Authorities.
If you just click through and choose the defaults in the Import Certificate wizard, the certificate will not be trusted (thus the problem you are having).
When done correctly, it should show here (Invoke via Windows Run: certmgr.msc )

image.png

the_rock
MVP Gold
MVP Gold
‎2024-07-18 04:39 PM
In response to jennyado
Jump to solution

Think of it like this, as trivial as this may sound, but hopefully you will get an idea. If you go to any secure website in the world, you can see what is root CA, then sub CA and then actual "client" cert. So, say in CP context, again, trivial as this is, think of mgmt as root CA, then your fw as sub-CA thats issuing ssl cert for your clients and as @PhoneBoy indicated in his post, all of them has to be TRUSTED in order NOT to get the cert warnings.

Makes sense?

Andy

the_rock
MVP Gold
MVP Gold
‎2024-07-18 04:51 PM
In response to jennyado
Jump to solution

To help you even further, I took bunch of screenshots from my lab. PLEASE pay attention to things I pointed out in red, as those are important.

Andy

 

Screenshot_1.png

 

 

Screenshot_2.png

 

 

 

Screenshot_3.png

 

 

Screenshot_4.png

 

 

Screenshot_5.png

 

 

Screenshot_6.png

 

 

Screenshot_7.png

 

 

 

Screenshot_8.png

 

 

Screenshot_9.png

0 Kudos
CaseyB
Advisor
‎2024-07-18 01:18 PM
Jump to solution

Since you are getting the certificate chain is not trusted, check the following:

  • Launch the SmartDashboard HTTPS Inspection settings
  • Navigate to the "Trusted CAs" section
  • If you click the "add" button up top and you have a bunch of objects listed, that is your issue. Everything in that list is not installed as a Trusted CA and it needs to be, otherwise you will get those navigation errors. It should be empty.

2024-07-18 15_15_33-192.168.183.205 - Check Point SmartDashboard R81.10 - HTTPS Inspection.png

Also, make sure this is enabled:

2024-07-18 15_15_13-192.168.183.205 - Check Point SmartDashboard R81.10 - HTTPS Inspection.png

If you have stuff in the list, you can manually add them or get ahold of TAC, they can help fix that.

jennyado
Collaborator
‎2024-07-18 03:52 PM
In response to CaseyB
Jump to solution

We have installed the updates of this section but we still have the same issue.

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-07-18 03:55 PM
In response to jennyado
Jump to solution

Personally, in my experience, those updates have nothing to do with the issue you have. You HAVE TO trust all the certs involved in a "chain" here not to get those warnings. Ie...whatever certs show when you click on untrusted cert on the web page, you need to export them, then install both of them (mgmt and gw one), put them in TRUSTED ROOT, make sure cert shows okay and Im 100% sure it will work just fine.

Andy

jennyado
Collaborator
‎2024-07-18 04:26 PM
In response to the_rock
Jump to solution

I understand that I have to export all certificates from sites that I have issues to access and install it on the gateway, but what happen with Microsoft Teams? 

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-07-18 04:34 PM
In response to jennyado
Jump to solution

For that, you can bypass it using custom app site group in https policy with bypass rule. Or, before that, examine the logs and see why its failing. If it shows inspect log, theres your answer.

Andy

jennyado
Collaborator
‎2024-08-13 04:42 PM
In response to the_rock
Jump to solution

I was doing some testing and I was able to fix the MS Teams part with the bypass rule.

the_rock
MVP Gold
MVP Gold
‎2024-08-13 04:44 PM
In response to jennyado
Jump to solution

Thats easiest/best way to fix those issues.

Good job!

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold
‎2024-07-18 05:10 PM
In response to jennyado
Jump to solution

Also, forgot to mention, as I find this very IMPORTANT. I always use multiple ordered layers when I build ssl inspection labs, as I find that traffic is processed much faster and inspection always works that way. So, say on 2nd ordered layer, I ONLY enable urlf+appc blades and approach it using blacklist, rather than whitelist. There is even sk about it, cant recall now what it is, but its also due to the reason that traffic has to be allowed via all ordered layers. Yes, you can "cram" it in one layer, but why suffer that way. I did that for one customer while back that came from Cisco world and only reason for it was because their boss did not feel comfortable having layer with any any allow at the bottom. No matter how many times I explaied it to him, did not help : - ). Anyway, we made it work, but probably took 10 extra hours, compared to doing it the way I described.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events