HTTPS inspection certificate question

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

May the 4th (+4)
Navigating Paradigm Shifts in Cyber

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

Hey guys,

Im wondering if someone can confirm if this indeed is expected CP behavior when https inspection is on. So, customer and I turned blade on, we created custom cert on https insp. tab and gave it 10 year validity, exported, tested and block page comes up fine...

BUT...here is what Im wondering. I set up https inspection few times and quite honestly, never paid attention to this part, but client is wondering, when page is blocked, when you click little sign to see the cert presented, we see cluster VPN certificate showing and obviously says issued by mgmt server, which makes sense, since thats internal CA. Is that expected?

I ask, because, when customer asked me about it, I figured it was indeed expected, but then more I thought about it, more Im wondering if thats the case. Isnt actual cert created from https inspection tab valid for 10 years assigned, supposed to show, instead of cluster vpn cert? By the way, I checked this on another environment where inspection is on and behavior is the same, block page shows actual fw vpn cert.

I know for a fact if you do this on Fortinet or Cisco (Im sure PAN is the same), users would see actual cert created, not anything else, so I have a gut feeling on CP it might be different, as its signed by mgmt (being ICA), but confusing part is why the actual fw vpn cert shows up?

We have TAC case about it, but had not gotten useful response yet. If anyone could clarify, would be awesome. I could not really find any sort of documentation stating whether this is expected or not.

Tx as always!!