Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Moudar
Advisor

HTTPS inspection TLS warning

Hi

I have enabled HTTPS and exported the certificate to a test machine. When visiting various websites it works as expected.

But a websites like checkpoint.com or cisco.com would show a warning

 

tls-warning-checkpoint.JPG

it works fine with google for example!

so I wonder why will some work and some not?

the log looks like this:

tls-warning-checkpoint1.JPG

I suspect that we need to buy a well trusted certificate to make that work?!

 

0 Kudos
25 Replies
Timothy_Hall
Legend Legend
Legend

Code level?

Make sure your list of trusted CAs for HTTPS Inspection is up to date, the ability to update these is still located in the SmartDashboard accessible from Manage & Settings...Blades...HTTPS Inspection...Configure in SmartDashboard...HTTPS Inspection...Trusted CAs.  Later code levels keep this CA list up to date automatically.

Could also be this: https://en.wikipedia.org/wiki/HTTP_Public_Key_Pinning

 

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Moudar
Advisor

version 81.20

Now I have installed the latest updates and done this:

enable-automatic-ca-updates.JPG

but still getting the same tls warning!

tls-logs.JPG

0 Kudos
the_rock
Legend
Legend

You see this on EVERY site or just some?

Andy

0 Kudos
the_rock
Legend
Legend

No, you dont need to buy trusted CA for this to work, I have https inspectin lab and I use one generated from the mgmt server and works fine. Is it just one website or multiple? Make sure below is checked in legacy smart console.

Andy

 

Screenshot_1.png

0 Kudos
Moudar
Advisor

ca-download.JPG

it is not working for example:

microsoft.com

cisco.com

as what i could notice!

I am getting this error:

NET::ERR_CERT_AUTHORITY_INVALID

 

0 Kudos
the_rock
Legend
Legend

You see that on every browser?

0 Kudos
Moudar
Advisor

Google chrome and Edge

0 Kudos
the_rock
Legend
Legend

Can you send screenshot of https inspection policy?

Andy

0 Kudos
Moudar
Advisor

https-policy.JPG

0 Kudos
the_rock
Legend
Legend

Did it ever work or its brand new issue?

Andy

0 Kudos
Moudar
Advisor

this is the first time I am testing HTTPS inspection, maybe I need to add some certificate under Trusted CAs, but which one, I have tested many but stil have same problem

0 Kudos
the_rock
Legend
Legend

You dont, they are all auto updated. I attached doc with how I have it configured, so maybe you can see if something is "missing". I will also make separate post about it.

Andy

 

 

0 Kudos
CaseyB
Advisor

If your setup is bugged like mine (R81.10 JHF 141), the automatic install does not work, and you have to manually add the certificates from the list. Just click on all of them or the ones you need, then publish install.

2024-05-15 15_54_50-Window.png

 

 

 

0 Kudos
Moudar
Advisor

I am running this version:

Product version Check Point Gaia R81.20
OS build 631

So I don't know if it is bugged or not!

Did you have a similar problem where many websites work but some don't?

Which certificates did you add?'

 

0 Kudos
the_rock
Legend
Legend

I have R81.20 jumbo 54 in the lab, all works well. Did you check file I uploaded?

Andy

0 Kudos
CaseyB
Advisor

If you click the "add" button and stuff is in the list, it is bugged, as the list should be empty. Yes, I was having the same exact issue you were having. I also noticed it because of Check Point and Cisco websites. Honestly, you should add all of them in the list, but if you only want to add a few I had to do the following: go to the website on a computer not being HTTPS inspected, view the certificate, that will supply you with who the Root CA is for the site, and then add that.

If you open a TAC case, they can supply you with a script that will add all of them in the list if you don't want to manually do it.

the_rock
Legend
Legend

I think they all get updated automatically, specially in R81.20

0 Kudos
Moudar
Advisor

Y

You're correct @CaseyB . The list on my production firewall is full, whereas the list on my lab firewall is empty.

I suspect the issue stems from the fact that my production firewall was upgraded from older versions, while my lab firewall is a new 81.20 machine!

 

What do you think @the_rock !

0 Kudos
the_rock
Legend
Legend

Let me check it in my lab shortly and will update.

Andy

0 Kudos
the_rock
Legend
Legend

Bro, message me tomorrow, you got my gmail, lets do remote. IM available any time up until 4 pm GMT or between 5-8 GMT. Im in EST, which is GMT-4

Best,

Andy

0 Kudos
Moudar
Advisor

I am not allowed to do remote because this the production environment.

But now I have succeeded adding "Digicert Global Root G2" manually which resulted to connect correctly to microsoft.com

I have used the way @CaseyB decribed above!

0 Kudos
the_rock
Legend
Legend

Can you confirm this is what you are referring to?

Andy

 

Screenshot_1.png

 

Alsdo, can you check below?

 

Screenshot_2.png

 

I also attached  updated zip file for certificates list update if you wish to try it, but just a small disclaimer, it is from my lab, though fully working https inspection one.

[Expert@CP-management:0]# pwd
/opt/CPshrd-R81.20/database/downloads/TRUSTED_CA/2.0/3.4
[Expert@CP-management:0]# ls
last_revision_DC.xml updateFile.zip
[Expert@CP-management:0]#

Date shows November 30th, 2023, 1.30 pm EST

0 Kudos
Moudar
Advisor

so, this is the production environment:

ca-list-full.JPG

As you can see when I click "Add" you see the list is full with trusted certificates that you need to add to get a functionality.

but here in a lab environment:

ca-list-empty.JPG

the "Add" list is empty which means that all certificates are already taken!

0 Kudos
the_rock
Legend
Legend

If you can update in the production, I would. I gave that file to lots of people before, never an issue.

Andy

0 Kudos
the_rock
Legend
Legend

Btw, for what this info is worth, I kept upgrading my lab ever since R80.20 to R81.20, and even though ssl inspection was enabled since the beginning, I NEVER had this issue with the certs

I did, mind you, always keep up with latest jumbo hotfixes.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events