This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LostBoY
Advisor
‎2022-11-11 03:16 AM
Jump to solution

HTTPS Inspection in R80.40

I am trying to setup https inspection in the environment where i have 3 separate domains and a zone which do not use any certificates like the proxy server.

I was wondering if its possible to upload 3 independent wildcard domain based certificates in Checkpoint and map them in the https rule base.. does GW allow multiple certificates to be uploaded ? or it has to be one certificate only ?

What are my options for a zone which does not use any certificates.

Any help is appreciated.

Thanks

0 Kudos
(1)
3 Solutions

Accepted Solutions
the_rock
Legend
Legend
‎2022-11-11 04:52 AM
Jump to solution

Here is the short answer...

For OUTBOUND https inspection -> No, ONLY one cert

For INBOUND -> Yes, you can have multiple

Andy

View solution in original post

PhoneBoy
Admin
Admin
‎2022-11-11 08:28 AM
Jump to solution

HTTPS Inspection generates certificates on the fly which are signed by a Certificate Authority (CA).
Wildcard certificates cannot be used as they are not CA keys. 
Only a single Certificate Authority for outbound HTTPS Inspection is allowed per gateway/virtual system.

View solution in original post

Sorin_Gogean
Advisor
‎2022-11-16 01:55 AM
In response to LostBoY
Jump to solution

Like I (and others said), on Outbound inspection you can have a single certificate, so you could do an CA or sub-CA that would be trusted by all 3 of your domains members/clients and should be good.

 

For Inbound, if you intend to inspect traffic that is coming for WebServer Domain A and WebServer Domain B, you can have those individually - obviously 🙂 .

 

Enjoy,

View solution in original post

9 Replies
G_W_Albrecht
Legend
Legend
‎2022-11-11 03:48 AM
Jump to solution

sk65123 - HTTPS Inspection FAQ

sk108202: Best Practices - HTTPS Inspection

CCSE CCTE CCSM SMB Specialist
svori
Collaborator
Collaborator
‎2022-11-11 04:48 AM
Jump to solution

It is possible to use several wildcard certificates for inbound inspection, check for Additional Settings when you view HTTPS Inspection policy.

Not sure what you mean by a Zone without certificates but it is also possible to bypass traffic that should not be https inspected.

There are two options, bypass or inspect in https inspect rules. If you use inspect on a rule you must choose a certificate.

I saw GW Albrecht already sent links to documentation, please take a look at it. They are pretty clear and understandable.

LostBoY
Advisor
‎2022-11-15 01:25 AM
In response to svori
Jump to solution

Thanks for the reply..there is a zone where servers aren't using any certificates..so my query was if i want to enable https inspection for those , do i need to use any default certificate or it cant be done and i need to use a bypass rule.

0 Kudos
the_rock
Legend
Legend
‎2022-11-11 04:52 AM
Jump to solution

Here is the short answer...

For OUTBOUND https inspection -> No, ONLY one cert

For INBOUND -> Yes, you can have multiple

Andy

PhoneBoy
Admin
Admin
‎2022-11-11 08:28 AM
Jump to solution

HTTPS Inspection generates certificates on the fly which are signed by a Certificate Authority (CA).
Wildcard certificates cannot be used as they are not CA keys. 
Only a single Certificate Authority for outbound HTTPS Inspection is allowed per gateway/virtual system.

LostBoY
Advisor
‎2022-11-15 01:23 AM
In response to PhoneBoy
Jump to solution

Thanks for the reply.. so outbound supports only one certificate which cannot be a wilcard ? are multiple certificates supported for inbound ?

i came across a link which suggested using wildcard certificates for https inspection.i am not sure about the use case though .i will try linking that article here

0 Kudos
Sorin_Gogean
Advisor
‎2022-11-11 09:21 AM
Jump to solution

Hi,


For us to better understand your set-up, can you elaborate a bit more on "setup https inspection in the environment where we have 3 separate domains" - more on the last part of the phrase.

In our company where we implemented HTTPS Inspection, we have a Root CA (smth.int) that has 3 sub CA's like ( regionEU.smth.int, regionNA.smth.int and regionAP.smth.int) . But the delegated sub-CA we installed on the CheckPoint, was generated by the Root CA (smth.int) so all clients from the regions will trust it.

 

Hopefully it will clarify your question, but please come back with the asked details.

 

Ty,

LostBoY
Advisor
‎2022-11-15 01:21 AM
In response to Sorin_Gogean
Jump to solution

Thanks for the reply..

we actually have 3 separate domains running in the environment which use their own independent certificate sets. I was wondering if i can upload multiple certificates in checkpoint referencing each domain such that i can map those certificates in separate https rules for inbound/outbound communication.

0 Kudos
Sorin_Gogean
Advisor
‎2022-11-16 01:55 AM
In response to LostBoY
Jump to solution

Like I (and others said), on Outbound inspection you can have a single certificate, so you could do an CA or sub-CA that would be trusted by all 3 of your domains members/clients and should be good.

 

For Inbound, if you intend to inspect traffic that is coming for WebServer Domain A and WebServer Domain B, you can have those individually - obviously 🙂 .

 

Enjoy,

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap

    Thu 25 Apr 2024 @ 10:00 AM (CEST)

    The Anatomy of a Cloud Hack by NotSoSecure - EMEA Session

    Thu 25 Apr 2024 @ 06:00 PM (IDT)

    The Anatomy of a Cloud Hack by NotSoSecure - America Session
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Tue 23 Apr 2024 @ 11:00 AM (EDT)

    East US: What's New in R82
    Virtual

    Thu 25 Apr 2024 @ 11:00 AM (SGT)

    APAC: CPX 2024 Recap
    Virtual

    Tue 30 Apr 2024 @ 03:00 PM (CDT)

    EMEA: CPX 2024 Recap
    Virtual

    Thu 02 May 2024 @ 11:00 AM (SGT)

    APAC: What's new in R82
    Virtual

    Thu 02 May 2024 @ 04:00 PM (CEST)

    CheckMates Live DACH - Keine Kompromisse - Sicheres SD-WAN
    Virtual

    Thu 02 May 2024 @ 05:00 PM (CEST)

    SASE Masters: Deploying Harmony SASE for a 6,000-Strong Workforce in a Single Weekend
    CheckMates Events