AnsweredAssumed Answered

HTTPS Inspection from the Inernet

Question asked by Martin Sykora on Nov 22, 2018
Latest reply on Nov 22, 2018 by Vladimir Yakovlev


Our customer wants to do some URL filtering for incoming HTTP(S) requests from the Internet. Since HTTPS is involved and the gateway does not see into the web traffic, all URL filtering rules for this case are useless until I turn on HTTPS inspection.
If I understand  Checkpoints HTTPS inspection implementation correctly, the certificate that is used by the gateway that is doing the inspection will show up on the client side as the CA of the fake certificates that the gateway will generate in order do the man in the middle action. If I am doing this for traffic from inside of my company, because I can "teach" my machines to trust my gateway as a CA.
I am expecting that clients from the Internet will always show an certificate error each time the HTTPS traffic will go through the inspecting gateway because the my gateway's certificate is not on the list of globally trusted CAs, which makes this a pretty unelegant solution.


Can you please confirm my understanding of this scenario and if the behavior will be really as I have described it?