Thank you for your reply.  Yes it is StandAlone SMS / GW with HTTPS inspection enabled. Cpview looked okay from what I could tell.

Browsing office.com as my testing I noticed the bellow observations, the left image is with HTTPS inspection, the right is without.

The custom HTTPS bypass rule does not appear to be working, I have added portal.office.com and office.com and it still inspects them. The financial services rule is working in that I could connect to banking sites with no issue.

I tried a local news website, and it connects fine, the certificate shows issued by and the name of the HTTPS inspection certificate "client.com"

I observe the following log in the Man Server:

I have had a look at sk159872, which doesn't seem to give me any help, I updated the Trusted CA list on the smartdashboard with Checkpoint support yesterday. I have added the https inspection certificate to this list and it has not helped. I have observed a fair number of Microsoft URL's failing with Untrusted Certificate.

I am waiting for more feedback from Checkpoint as to what to check next.

I worked with customer who had very similar issue and it turned out to be certificate related, will have to see what exactly. Question...does same problem happen in EVERY browser, or just chrome?

I have tried it in edge and does a similar thing, the certificate has been in use since 2019. Issued to is the "domain.com" of the client. I wander if the name is causing issues, if I recall it was generated on the firewall when we setup HTTPS inspection.

.

In edge I get the following warning but can choose to to still visit the site.

I upgraded the firewall to R81.10 on the 18 August, and 2 weeks later (2 September) I was notified of issues with staff connecting to teams. If it broke with the upgrade to R81.10 I would have expected to be notified much earlier as they have weekly Teams meetings.

Firefox showed the following information first on office.com

When I go to a local news site I saw this warning checking the certificate and shows the verified by certificate name.

The certificate issued is self issued from the firewall and was added by the administrator via GPO. I understand the basic concepts of how HTTPS inspection works, but I can't figure out which part of the process is failing causing the your connection is not secure warning.

Could certain websites like office.com or checkpoint.com  have extra security and warning the browser it is not getting a known certificate so this connection is insecure. The local news website doesn't have these added security features which is why it connects to the site and gives the warning as above when viewing the certificate details.

I saw with my customer it was the issue where SAN (subject alternative name) was missing in the cert, but may had not been exact same problem like what you are having. Question...when you compare the cert you see for one that works and one that does not, what is the difference?

@the_rockthank you for coming back to me. I will have a look at the certificates in more detail. Its weird that I can connect to some sites and the browser shows me the https certificate and it works but refuses to connect to Microsoft or Checkpoint websites.

Maybe I need to create a new certificate on the firewall and see if that solves the issue.

I get what @Wolfgang is saying, but I find it odd that it worked fine for some time and then stopped all of a sudden. I have a really nice lab with https inspection that it works using self signed cert from the firewall if you wish to have a look, happy to show you. I have windows 10 PC behind the fw and we can test any site you have issue with.

Let me know.

Andy

Hi Andy,

Thank you for your reply. I would be interested to see what the certificate info is in your lab with https inspection if you visit https://www.checkpoint.com/

When I go to checkpoint using Edge I get the bellow on the certificate info.  The issued by part is what is causing my issues I suspect. On other websites that work it shows the name of the certificate the firewall created.

How it looks on my machine bypassing HTTPS inspection as I am not domain joined.

Today I resorted to adding all the users who need to use Teams meetings to a bypass group we have as temporary fix.

I get exact same message for cert as your 2nd screenshot, but thats most likely because I am NOT inspecting the website, otherwise, if I were, I would get firewall cert.

Andy

Thank you for this Andy. I have a HTTPS Custom Bypass list under No SSL inspection, which includes Health and Financial Services category. The groups appear to work as I can reach bank sites, the custom list is not working 100%. I added https://www.checkpoint.com/  but still can't get to the site with out a warning. Going to do some troubleshooting with this area.

Lets do remote, I would need to see why that happens.

Thank you for the reply Andy. Checkpoint had booked a support call for today and they resolved the issue.

What was the solution if you dont mind sharing? We always like to share the positive outcome, so it helps everyone else.

Andy

@rmasprey you wrote certificate from the firewall is self signed…

Does this mean you are using CheckPoints firewall management internal CA for HTTPS inspection?

If yes, you have to deploy this root CA certificate to your clients. If you have a look at the trusted chain on the client you should see the newly created certificate for the inspected website and all CAs up to the root CA.

Thank you for the reply @Wolfgang, yes it is a self signed certificate from the firewall and it is deployed to the workstations via a group policy. This has been working up until recently.

Ah, makes sense. We had case with escalation about this in the past and were give some sort of script from R&D, but then were told not to run it as it could cause more issues, so client just added them manually. Glad it worked out!

How did you add those CAs to the list?

This solved it for me thanks!

This resolved my issue, however I am unable to access www.cisco.com. I am getting the below error, please how you resolved yours.

"

Did Not Connect: Potential Security Issue

Firefox detected a potential security threat and did not continue to www.cisco.com because this website requires a secure connection.

What can you do about it?

www.cisco.com has a security policy called HTTP Strict Transport Security (HSTS), which means that Firefox can only connect to it securely. You can’t add an exception to visit this site.

The issue is most likely with the website, and there is nothing you can do to resolve it.

If you are on a corporate network or using antivirus software, you can reach out to the support teams for assistance. You can also notify the website’s administrator about the problem.'"

Regards,

Salom

This means FF is detecting that HTTPSi is substituting the certificate. Either double-check that FF is trusting Check Point HTTPSi root certificate or make an exception for cisco.com in HTTPSi policy

Also, look into sk106996