Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Herman
Participant

Not substituted certificate in browser Https Inspection

Hello everyone!

I have Gaia R80.40 distributed deployment (management + clusterXL). I trying enable Https inspection the other day, created self-signed certificate, install this in "trusted root authorities" in Windows machine, but when i open any https site, certificate not substituted in browser.

https insp enable.jpg

cert.jpg

 

Please tell me why this can happen?

With Regards, Herman

0 Kudos
15 Replies
Wolfgang
Leader
Leader

@Herman 

have you defined some HTTPS inspection rules ?

Bild 24.06.21 um 14.00.jpg

0 Kudos
Herman
Participant

@Wolfgang  
only default predefined rule

httpsrule.jpg

0 Kudos
_Alex_
Advisor

Did you install the policy after enabling HTTPS Inspection in the FW object? 🙂

0 Kudos
Herman
Participant

I'm new in checkpoint environment 😁, but if you mean it (see screenshot) then yes

2323.jpg

0 Kudos
Benedikt_Weissl
Advisor

Do you use the gateway as a proxy or transparent proxy? Is the gateway inline en route to the internet? I think the object "Internet" is based on the topology, is your topology correct (edit cluster -> network management -> the interface leading to the WAN should be marked as external) ?

You can set your ssl inspect rule to "log" and create another rule like this below it "Source: any Destination:any Service:any Action:bypass Track:log".

0 Kudos
Herman
Participant

No proxy not used, if i right you understand
proxy.jpg
Yes, gateway inline en route to the internet. Checked Network topology, and External interface set as External zone (it's has not been mark as External zone), install policy, but it's did not affect
external.jpg
Not sure that right understand, but create bypass "test rule" and enable log tracking:
bypassrule.jpg
And now in logs & monitor tab if set filter as HTTPS Inspection may be view this:

https lpgs.jpg
But unfortunately certificate not substituted after that
--------
PS English is not my native language, so please be kind to my mistakes )))

0 Kudos
Benedikt_Weissl
Advisor

You might wanna redact the public IPs next time and don't worry about your english 🙂 Your Interface names look strange to me, do they match the names as configured on the gateway OS?  Can you switch the HTTPS Inspection rules around?

Herman
Participant

In gateway OS interface have this names, they don't match with names in SmartConsole:
interf names in os.jpg

With inspections rules, i try some experiments

0 Kudos
Wolfgang
Leader
Leader

This looks good. HTTPS inspection catches the traffic, but it‘s bypassed regarding your rule. Something with defining the „internet“ as destination in your second rule does work like you want. Have a look at @Danny great post  Properly defining the Internet within a security policy 

You can try to define another rule first with your client as source and destination any with action „inspect“ to see if this connection will be intercepted.

Herman
Participant

I'm try to define first rule with destination any instead "Internet" for my client machine, but in logs not showing record with "inspect" action for Https inspection. Of course 😀 after create rule and install policy, tried to open some https sites in Chrome
test rule https 2.jpg

0 Kudos
PhoneBoy
Admin
Admin

By the way, your last rule in the HTTPS Inspection policy should be any any bypass.
Without that, you very likely will have performance issues 

0 Kudos
_Alex_
Advisor

It's another topic but to me in newer versions of the Smart Console it should be the default behaviour with a warning message if it doesn't exist, similar to the message if an inline layer is missing a cleanup rule. It doesn't make sense to have Tech Talks explaining that it's best practices to have any/any/bypass to prevent performance issues due to undefined sessions and have the system out of the box doing the exact opposite, causing issues to unsuspecting customers.

the_rock
Authority
Authority

Agree cold heartedly.

0 Kudos
the_rock
Authority
Authority

I know this may sound like a silly question, but did you make sure that windows machine is actually going through CP firewall? If you do tcpdump -nni host x.x.x.x (with x.x.x.x as windows machine IP address), what do you see? Have you tried another machine or just one? From screenshots you pasted, config looks okay to me.

0 Kudos
Herman
Participant

Hello everyone!
I fixed this, just add new layer with Application & URL filtering blade in Access Control Policy. Than added three rules and it's work fine
right cert.jpgapp layer.jpg

0 Kudos