Re: Untrusted certificate, HTTPS inspection bypass

DmitriyDubovik · ‎2023-06-30

Good evening.

At the moment, we need to provide a bypass to the resource https://website.com/ which, when connected to it, accesses the resource https://add.website.com/.

The https://add.websitedmz.com/ resource has a self-signed certificate.

Nevertheless, despite the bypass rules, this https://add.websitedmz.com/ resource is still detect, which interferes with the work of the entire https://websitedmz.com/ resource.

self-signed cert add.websitedmz.com was added to trusted ca but still detectable.

Please suggest how to bypass this resource.

the_rock · ‎2023-06-30

Can you show bypass rule for it? Please blur out any sensitive info.

Andy

DmitriyDubovik · ‎2023-07-03

good morning

This is from test open server, on the production CP we hame the same issue, difference between them only in number of applications

PhoneBoy · ‎2023-06-30

As part of HTTPS Inspection, we also validate the certificate of the site you are accessing.
Have you added the self-signed certificate to the trusted CA list in SmartDashboard?

DmitriyDubovik · ‎2023-07-03

good morning

Have you added the self-signed certificate to the trusted CA list in SmartDashboard?

Yes, i did.

PhoneBoy · ‎2023-07-03

I'm referring to the certificate for add.websitedmz.com itself.

DmitriyDubovik · ‎2023-07-04

added with all CA, still don t work

Same Untrusted Ceertificate Issue:

Certificate DN: "O=websitedmz.com", Requested Server Name: add.websitedmz.com See sk159872

_Val_ · ‎2023-07-04

Please look into this thread: https://community.checkpoint.com/t5/Security-Gateways/HTTPS-Certificate-validation-SK159872/td-p/131...

_Val_ · ‎2023-07-04

No, this is not CA cert, this is the web server certificate. It clearly shows "Issued by Untrusted". You need the root cert, which is probably not applicable to self-signed. I suggest you add any third party certificate to that server, preferably issued by your own corporate CA or AD, and then add that signing CA as trusted root.

DmitriyDubovik · ‎2023-07-04

Thanks. Can I still make checkpoint ignore an issued by untrusted certificate and bypass it, beside making third party certificate? I m affraid it is not first case...

_Val_ · ‎2023-07-04

The log says "Detect", which means traffic is not affected. Why would you need an exception? To avoid logging?

DmitriyDubovik · ‎2023-07-04

I can t access the second domain level site https://websitedmz.com/. because some issues with https inspection on third domain level site https://add.websitedmz.com/. When i turn off the Https inspection, it works fine. Can t say why.

@_Val_ wrote:
The log says "Detect", which means traffic is not affected.

Next step is Inspect.

_Val_ · ‎2023-07-04

Add a bypass for that level too. Also, in HTTPS Inspection / Server Validation , make sure you did not check box to drop traffic from with untrusted certs.

Screenshot 2023-07-04 at 12.28.41.png

DmitriyDubovik · ‎2023-07-04

It is turned off.

ww1m6 · ‎2024-05-30

Hello, I am unable to find this section, can you tell me how to get to it?

the_rock · ‎2024-05-30

Its in legacy dashboard.

ww1m6 · ‎2024-05-30

Hello, I can't find this settings section, can you tell me how to get to it?

PhoneBoy · ‎2024-05-30

You have to get to the legacy SmartDashboard, which you do by going here:

Screenshot 2024-05-30 at 5.06.24 PM.png

From there, click on HTTPS Validation

the_rock · ‎2023-07-04

I would definitely double check option @_Val_ mentioned for untrusted cert (its in legacy https inspection dashboard settings)

Andy

DmitriyDubovik · ‎2023-07-06

i bet this is some sort of bug, because dashboard settings is off

Are you a member of CheckMates?

Untrusted certificate, HTTPS inspection bypass