- CheckMates
- :
- Products
- :
- Quantum
- :
- Security Gateways
- :
- HTTPS Inspection
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HTTPS Inspection policy
I want HTTPS inspection policy to be implemented on this NAT rule that is configured to NAT a traffic towards a BWAPP server. I also want a specific certificate to be used for the inspection but I am unable to do so. Inspite of configuring a HTTPS inspection policy for the NAT policy it is not being implemented.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
First screenshot: Original Dest GW, Transl. Dest BWAPP server ??? I see no original source...
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Original Source is Any, Just couldn't get it into the Screenshot, CCSE CCTE CCSM SMB Specialist admirer
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
So why is the GW Source in screenshot 2 ? Translated Source is Original == Any, so how should that https rule match here ?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Use the column picker to add the "Certificates" column. You can then select the correct certificate for inbound inspection.
This assumes you imported the proper server certificate first though.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I configured a HTTPS Inspection policy which uses a self assigned certificate but through the log the traffic is only being inspected and not allowed. Every packet is being dropped, similarly as it can be noticed in the screenshot provided below I believe the Action should be allowed/blocked but only HTTPS inspect is displayed.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
I merged the other thread you created on this configuration since it stems from the same misconfiguration, most likely.
The decision to perform HTTPS Inspection needs to happens before Access Rules or NAT are applied.
Which means your HTTPS Inspection rules should be created accordingly.
I assume based on your configuration that you're trying to forward connections that occur to the firewall's external IP to the host ACFW-CHKP-BWAPP.
The "certificate' column in the rule would be where you'd configure the private key to use when connecting to ACFW-CHKP-BWAPP.
This means your HTTPS Inspection rule should have "any" as the source (not the gateway as shown).
I suspect this will also fix the issue with the NAT rule.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the wonderful support everyone. Now I am successfully able to implement https inspection on the desired traffic interface but the traffic is only being inspected and all the normal traffic from that rule are getting blocked after inspection. Is there something else that I have to look into? It's only been a while since I have been using Checkpoint firewall so I am baffled with some features. The requirement was to inspect HTTPS traffic from performance subnet to lan subnet.
I have also included a certificate that is going to be used for the inspection but while passing traffic through the policy all the traffics are only being inspected and dropped which can be noticed in the log.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
HTTPS Inspection policy only decrypts the appropriate traffic.
You must still have an Access Policy rule that permits the relevant traffic.
What precise rule is being matched per the traffic logs?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
The Access Policy rule that is being matched with the HTTPS inspection policy is presented below:
and the HTTPS inspection configured for this Access policy is:
Similarly the log generated:
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Just to confirm, the source LAN is internal, correct?
I suspect you're going to need a TAC case to get to the bottom of this: https://help.checkpoint.com
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, the source is internal but is from different interfaces and subnets.