This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
freshwater84
Explorer
2 weeks ago
Jump to solution

HTTPSi INBOUND with more than one certificate (SG9100, R82 JHFT39)

Dear Community,

We have several HTTPS-443 Services running in our datacenter, and start now to protect that with INBOUND HTTPSinspection.
So far everything works like a charm. But we also have one destination, which is a reverse proxy, and handles different HTTPS services in the backend. Unfortunately their services SSL certificates are different domains.
But I cannot place more than one SSL certificate per INBOUND rule.
Is there a way to make it work, like to make just a second rule with the same destination, but different certificate, even the rule will be identically, except the presented certificate?
Means, is the Checkpoint able, to see from the host the WAN client is calling, which rule and certificate he should present?

 

Thanks in advance

0 Kudos
2 Solutions

Accepted Solutions
PhoneBoy
Admin
Admin
2 weeks ago
Jump to solution

Due to how TLS works, it is not possible to configure multiple certificates in an inbound HTTPS Inspection rule.
However, you can work around this by creating a single certificate with ALL the relevant FQDNs added as SANs.
This is exactly how Google serves many different services from the same IPv4 address, as shown below:

image.png

 

View solution in original post

the_rock
MVP Gold
MVP Gold
2 weeks ago
Jump to solution

You cannot sadly add more than one certificate per inbound rule, you would have to create multiple rules and use different certificate.

Best,

Andy

Best,
Andy

View solution in original post

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
2 weeks ago
Jump to solution

Due to how TLS works, it is not possible to configure multiple certificates in an inbound HTTPS Inspection rule.
However, you can work around this by creating a single certificate with ALL the relevant FQDNs added as SANs.
This is exactly how Google serves many different services from the same IPv4 address, as shown below:

image.png

 

the_rock
MVP Gold
MVP Gold
2 weeks ago
Jump to solution

You cannot sadly add more than one certificate per inbound rule, you would have to create multiple rules and use different certificate.

Best,

Andy

Best,
Andy
0 Kudos
SomAustrianCity
Contributor
a week ago
Jump to solution

Hi,

while it is true that you can only have one certificate per rule, it is still possible to use multiple certificates.

The trick is to specify set an "Application/Site" Object in the "Category/Custom Application" colum. Now you can specify when a connection will match a rule, as the firewill will check the SNI header.

Just be aware that these Objects are made from a proxy perspective, not a reverse-proxy. Meaning, if you simply enter test.mydomain.com, it will also match newversion.test.mydomain.com. In case of a more complex setup, you may have to work with Regexes, like
for an exact hostname: "^test\.mydomain\.com$"
or for a wildcard cert: "^[^\.]+\.mydomain\.com$"

Tested on R81.20Mgmt+GW, and on R82Mgmt+R81.20GW. (Not yet used on a R82GW, but i don't see why it shoudn't work there)

I would wish for Checkpoint to implement an automatic solution for inbound inspection, but, alas, for now you have to do it manually.

freshwater84
Explorer
Friday
In response to SomAustrianCity
Jump to solution

Hi SomAustrianCity,

Thanks you, works like a charm on R82. In our case subdomains are fine, so without RegEx it works with *.domain.tld. Should be worth to make an SK about it...

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events