Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LostBoY
Advisor
Jump to solution

HTTPS Inspection in R80.40

I am trying to setup https inspection in the environment where i have 3 separate domains and a zone which do not use any certificates like the proxy server.

I was wondering if its possible to upload 3 independent wildcard domain based certificates in Checkpoint and map them in the https rule base.. does GW allow multiple certificates to be uploaded ? or it has to be one certificate only ?

What are my options for a zone which does not use any certificates.

Any help is appreciated.

Thanks

0 Kudos
(1)
3 Solutions

Accepted Solutions
the_rock
Legend
Legend

Here is the short answer...

For OUTBOUND https inspection -> No, ONLY one cert

For INBOUND -> Yes, you can have multiple

Andy

View solution in original post

PhoneBoy
Admin
Admin

HTTPS Inspection generates certificates on the fly which are signed by a Certificate Authority (CA).
Wildcard certificates cannot be used as they are not CA keys. 
Only a single Certificate Authority for outbound HTTPS Inspection is allowed per gateway/virtual system.

View solution in original post

Sorin_Gogean
Advisor

Like I (and others said), on Outbound inspection you can have a single certificate, so you could do an CA or sub-CA that would be trusted by all 3 of your domains members/clients and should be good.

 

For Inbound, if you intend to inspect traffic that is coming for WebServer Domain A and WebServer Domain B, you can have those individually - obviously 🙂 .

 

Enjoy,

View solution in original post

9 Replies
G_W_Albrecht
Legend Legend
Legend

sk65123 - HTTPS Inspection FAQ

sk108202: Best Practices - HTTPS Inspection

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
svori
Collaborator
Collaborator

It is possible to use several wildcard certificates for inbound inspection, check for Additional Settings when you view HTTPS Inspection policy.

Not sure what you mean by a Zone without certificates but it is also possible to bypass traffic that should not be https inspected.

There are two options, bypass or inspect in https inspect rules. If you use inspect on a rule you must choose a certificate.

I saw GW Albrecht already sent links to documentation, please take a look at it. They are pretty clear and understandable.

LostBoY
Advisor

Thanks for the reply..there is a zone where servers aren't using any certificates..so my query was if i want to enable https inspection for those , do i need to use any default certificate or it cant be done and i need to use a bypass rule.

0 Kudos
the_rock
Legend
Legend

Here is the short answer...

For OUTBOUND https inspection -> No, ONLY one cert

For INBOUND -> Yes, you can have multiple

Andy

PhoneBoy
Admin
Admin

HTTPS Inspection generates certificates on the fly which are signed by a Certificate Authority (CA).
Wildcard certificates cannot be used as they are not CA keys. 
Only a single Certificate Authority for outbound HTTPS Inspection is allowed per gateway/virtual system.

LostBoY
Advisor

Thanks for the reply.. so outbound supports only one certificate which cannot be a wilcard ? are multiple certificates supported for inbound ?

i came across a link which suggested using wildcard certificates for https inspection.i am not sure about the use case though .i will try linking that article here

0 Kudos
Sorin_Gogean
Advisor

Hi,


For us to better understand your set-up, can you elaborate a bit more on "setup https inspection in the environment where we have 3 separate domains" - more on the last part of the phrase.

In our company where we implemented HTTPS Inspection, we have a Root CA (smth.int) that has 3 sub CA's like ( regionEU.smth.int, regionNA.smth.int and regionAP.smth.int) . But the delegated sub-CA we installed on the CheckPoint, was generated by the Root CA (smth.int) so all clients from the regions will trust it.

 

Hopefully it will clarify your question, but please come back with the asked details.

 

Ty,

LostBoY
Advisor

Thanks for the reply..

we actually have 3 separate domains running in the environment which use their own independent certificate sets. I was wondering if i can upload multiple certificates in checkpoint referencing each domain such that i can map those certificates in separate https rules for inbound/outbound communication.

0 Kudos
Sorin_Gogean
Advisor

Like I (and others said), on Outbound inspection you can have a single certificate, so you could do an CA or sub-CA that would be trusted by all 3 of your domains members/clients and should be good.

 

For Inbound, if you intend to inspect traffic that is coming for WebServer Domain A and WebServer Domain B, you can have those individually - obviously 🙂 .

 

Enjoy,

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events