For us it's only a PoC so no one is really affected. We're evaluating if CP HTTPS Lite can replace our proxy.

My thought is Chrome doesn't trust the cert provided by events.data.microsoft.com because it's valid for more then 398 days  (link)

Not Before: 10/9/2020, 21:03:31
Not After: 10/12/2021, 20:03:31
Total: 455

Instead, the cert for teams.events.data.microsoft.com (which is different one) is trusted

Not Before: 14/9/2020, 21:51:29 
Not After: 9/9/2021, 21:51:29
Total 360

Server side misconfiguration

Thanks, I still want this cert to be trusted in Checkpoint solution. I'm not too worried about Chrome

Here's what I've seen today. The pilot system is an unattended Windows VM which is the only activated source in the HTTPS Inspection policy so there's no company-wide impact.

Categorize HTTPS websites has been running for long along with URLF blades and they work without issues.

The pilot was working until today with HTTPS inspection, the MITM certificate was seen in the browser and HTTPS Inspection logs would show up and everything was working fine.

When I checked again this evening (I didn't during the day), I saw that I couldn't browse anywhere anymore, I either had certificate validation errors from all browsers as the certificate was signed by "Untrusted" instead of the MITM or errors about certificates with similar serials being reused. Also, all logs in HTTPS Inspection would show the validation error of the URL trying to be reached.

If I disable HTTPS Inspection in the gateway properties, browsing works again but the strange thing is that I keep seeing the MITM certificate signing the site, even for sites open in private mode which were never accessed on the pilot machine. No more HTTPS Inspection logs though. I went further by disabling the inspection rule on top of disabling the HTTPS inspection but same behaviour. Maybe I should have first disabled the inspection rule, then disabled HTTPS Inspection on the gateway. I will check further tomorrow.

Actually I was trying to stay away from HTTPS interception purposely in this thread 🙂 hence the note about HTTPS Lite at the beginning. 

I think I found my problem thanks to this article https://www.networkoc.net/windows-update-fails-when-check-point-https-inspection-is-enabled/ 

I did import only root CA but not intermediate CA! I have added it now and will report tomorrow. 

We're really interested in "unbroken" HTTPS categorization and filtering for various reasons.

I do not understand, which certificate you installed? and where your downloaded it?

@the_rock actually there is a lot to inspect even with "unbroken" HTTPS 🙂 You need to start thinking about the future when you won't be able to break TLS at all, or think of pinned certs already.

There has been multiple sessions even here on Checkmates regarding it i.e HTTPS-Inspection-Best-Practices 

In nutshell you would inspect TSL handshake:

And results are surprisingly good:

No, I agree...not saying it wont work, but I know block page will never show without https inspection. Maybe this is way more advanced in R80, but in the old days, it was very basic.