Hi
We have created a Logical Servers objects to Load Balance to our back-end web servers. Everything works fine, however it is easy to manipulate with local host file if you know the internal web servers DNS name.
The Logical server is setup with an public ip and DNS name and do NAT to internal back-end web servers, however if you knew the DNS name for internal web server and manipulate the local host file where you put in the public ip and the name for internal web server you will be routed trough the Logical Server, there will be CA error but it works.
Here is the guide we followed: https://sc1.checkpoint.com/documents/R80.30/WebAdminGuides/EN/CP_R80.30_NextGenSecurityGateway_Guide...
We have tried to block using Https Inspection for incoming traffic, but this tool is useless and we also expected that R80.40 had higher TLS value (TLS 1.0 as min.??) and stronger Chipers since Https Inspection takes over as front end web server for security.
The Https Inscetion rule should have blocked incoming traffic if the Web browser presented wrong SNI.
Applications & URL filters does not work either together with Logical server Objects, we receives some Layer error.
Please advise.