This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
RoD
Contributor
‎2020-01-22 02:43 AM

HTTPS Inspection and P-521 certificate

Hi,

I have question about site-to-site VPN with P-521 ECC encryption and HTTPS Inspection.

It it possible to have two certificate for HTTPS Inspection,

one RSA 2048 certificate for website and second P-521 ECC certificate for site-to-site VPN ?

Thanks

0 Kudos
7 Replies
Wolfgang
Mentor
Mentor
‎2020-01-22 03:52 AM

For HTTPS inspection you need a SUB-CA installed on your gateway not only a certificate.

These SUB-CA and the certificate for Site2Site VPN is configured and stored at different places. Following this you don't need to have one for both feature.

certificate for VPN:

VPN_cert.png

SUB-CA for HTTPS-inspection:

HTTPS_inspection.png

Wolfgang

0 Kudos
RoD
Contributor
‎2020-01-22 04:11 AM
In response to Wolfgang

Thank you for your post, sorry if I didn't ask the question well.

I understood it well RSA 2048 certificate and P-521 ECC certificate they are not compatible ?

HTTPS Inspection using for inspection website only RSA 2048 certificate or RSA 4096 certificate ?

My question is regarding HTTPS Inspection site-to-site VPN with preshared key and with P-521 ECC as encryption ?

0 Kudos
Wolfgang
Mentor
Mentor
‎2020-01-22 12:09 PM
In response to RoD

I believe you should explain more detailed what do you want to do.

As I wrote and @PhoneBoy mentioned, HTTPS inspection and site2site VPN are different things and both are using different certificates.

RoD, more information about your need would be very helpful to give you the right answers.

Wolfgang

0 Kudos
PhoneBoy
Admin
Admin
‎2020-01-22 11:53 AM

The certificates used for Site-to-Site VPN and HTTPS Inspection have absolutely nothing to do with each other.
They are completely independent of each other and configured in different places in the UI.

P-521 support is in R80.30.
Believe it is also in R80.20 with a recent Jumbo Hotfix.
If you are on an earlier release, you will need to upgrade.
0 Kudos
RoD
Contributor
‎2020-01-22 12:45 PM
In response to PhoneBoy

Thank you Wolfgang and PhoneBoy for yours help.  😀

I have one laptops that have Site-to-Site VPN to one data center in Germany,
and this connection will go through 3100 or 3600 firewall.

My original plan was that 3100 firewall inspect this Site-to-Site VPN with HTTPS Inspection.

I think that is better that 3100 firewall create Site-to-Site VPN to this data center in Germany,

0 Kudos
Wolfgang
Mentor
Mentor
‎2020-01-22 12:57 PM
In response to RoD

RoD,

I think you are mixing some of the technologies.

laptop with site2site VPN ? sounds like more then a remote access VPN.

You can‘t inspect an IPSEC-Tunnel with HTTPS inspection.  But you can inspect the traffic coming through the tunnel on one of the endpoints of the tunnel. If these traffic will be HTTPS you can inspect with HTTPS inspection.

Wolfgang

0 Kudos
RoD
Contributor
‎2020-01-22 01:19 PM
In response to Wolfgang

I forgot to add my laptop with my old hardware firewall,

I decided that all my site-to-site VPN go from new Check Point firewall 

Thanks

0 Kudos