Create a Post
Shay_Levin
Admin
Admin

How to Enable (Inbound/Outbound) HTTPS inspection on AWS Auto Scaling / Azure VMSS / GCP MIG

If you want to enable SSL inspection on exiting scale set or to a new scale set, you might need to make an additional configuration step.

Shay_Levin_0-1657713575633.png

Once you enable https inspection on the CME template you will get a message that HTTPs need to be configured in SmartConsole.

So, this is only true if you want to inspect outgoing traffic and you have not create an outbound certificate on the management before.

The reason for that is that you have to create an outgoing certificate first on the Check Point management in order to inspect outgoing traffic.

So if you have already created outbound certificate on one of the managed gateways on a management that is going to manage the scale set , you won’t need to do anything , the SSL inspection would work on the Scale Set as well.

And it’s doesn’t important on which managed gateway you create the certificate in the past, it’s also doesn’t matter if the gateway still exist on the management. As long has you did it once in the past , your Scale set will use the same certificate that exist on the management.

So, on the example above I have set https on the CME template for a new Scale Set deployment and the Check Point management is completely new.

If you will check the HTTPS configuration on one of the ScaleSet gateways

You will notice that https is enabled.

Shay_Levin_1-1657713575639.png

For inbound ssl inspection it’s good enough but for outbound inspection you will need to create the outbound certificate.

Once you create the outbound certificate once,

Shay_Levin_2-1657713575642.png

All the existing Scale Set gateways and any new Scale Set gateways will use the same outbound certificate.

So just, remember that you need to do this procedure only one time and you are set.

 

You will need of course to make additional configuration describe bellow, but it’s not unique for scale set, those are general https inspection configuration steps.

For outbound inspection, you will need of course also to deploy the outbound certificate to the instances that are going to be inspected and set the SSL inspection policy.

For inbound inspection, you will need to import the private key of the site you want to protected to the Check Point management and create an SSL inspection Policy.

For more information about HTTPS Inspection read  sk108202 - Best Practices - HTTPS Inspection here

0 Kudos
0 Replies