This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
goh_wei_ming
Explorer
‎2019-03-18 09:59 PM

Https inspection for ips incoming traffic with thrid party CA

Hi All

 

I have a deployment of cloudguard on aws and the requirement is to perform HTTPs inspection on incoming IPS traffic.

There is a web server behind the cloudguard and using third party sign cert.

 

Here comes my question, in order to enable https inspection, we need to create/import an outbound cert. Should I just create an outbound cert and then import the third party ca for inbound traffic?

As the outbound cert we created will not be installed on the web server, will it be causing SSL error?

Or I can just import the third-party CA as outbound and inbound cert.

 

I remember I saw a sk regarding inbound https inspection, it mentions just create an outbound cert and then configures the policy in https inspection tab to any. Does it applied to my scenario as my deployment using third party cert.

 

Beside of that, how can we verify the https traffic being inspected and the IPS worked for the incoming traffic, as normally we have a aws waf to protect the perimeter.

 

 

 

 

 

0 Kudos
4 Replies
Wolfgang
Authority
Authority
‎2019-03-19 12:03 AM

You have to import your webserver certificate in the "server certificates" of https inspection pane in SmartDashboard.

Have a look at

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

and in the documentation

http://dl3.checkpoint.com/paid/74/744abff1d8aebf926a15824e26a6fd7b/CP_R80.20_GA_ThreatPrevention_Adm...

In part "Using Threat Prevention with HTTPS Traffic" you'll find a very good explanation how to configure for inbound HTTPS inspection.

 

goh_wei_ming
Explorer
‎2019-03-19 12:07 AM
In response to Wolfgang

Hi Wolfgang

 

Yea thanks for the guide, but how about the outbound? We can still import the same cert or just create a dummy cert since we are not using it? If we create a dummy cert but not installed on web server, will it encounter ssl error?

 

Beside of that, how can we verify it had been inspected by https inspection, we knew it will be inspected but customer request us to show them in logs.

0 Kudos
PhoneBoy
Admin
Admin
‎2019-03-19 09:15 PM
In response to goh_wei_ming

For outbound traffic, you need a Certificate Authority key capable of generating certificates on the fly. We generate one for you if you don’t provide one, which should be safe in this case.
0 Kudos
Wolfgang
Authority
Authority
‎2019-03-19 11:46 PM
In response to goh_wei_ming

As Dameon mentioned, you have to install an Sub-CA for generating new certificates for outbound HTTPS-connections.

Your clients have to trust these Sub-CA to avoid browser warnings. But you don't need this if you only want todo the HTTPS-inspection for incoming to your webserver.

If you define a filter like " blade:"HTTPS Inspection" " you get the logs:

https-inspection.PNG

https-inspection.PNG
Preview file
98 KB

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top