Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Yevgeniy_Yeryom
Contributor

HTTPS incoming inspection with static NAT

Hello experts, 

Do you know if there are some limitation in terms of using #HTTPS incoming inspection with static NAT#?

Does some special configuration required when configuring  HTTPS incoming inspection with static NAT?

 

In my LAB as you can see in the logs below:

- incoming inspection without NAT to 10.1.11.3 is inspected,

- incoming inspection with NAT to 10.1.2.10 is NOT inspected.

 

I tried it with static and automatic NAT and became the same result.

 

By the way:

There is an SK on that about automatic NAT problem stating that a HF might be required.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

Is a hot fix required?

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

Did you make the policy changes mentioned in the SK?

If you do that he hotfix should not be required.

0 Kudos
Yevgeniy_Yeryom
Contributor

Hi,

yes I did. 
As shown in the screenshot, the source IP and destination IP (NAT IP representing the server) are in the same subnet. 

I changed the destination IP to an IP from a different subnet and the HTTPS inspection started to work. Smiley Happy 

To put together, the incoming HTTPS inspection seems to NOT work for the source and destination from the same subnet. I think this is fine for usual use cases. 

0 Kudos
PhoneBoy
Admin
Admin

I'm not familiar with a limitation relating to HTTPS Inspection being not possible in the same subnet.

Clearly, it's possible.

It may be worth a TAC case, particularly if it's a customer situation.

0 Kudos
Yevgeniy_Yeryom
Contributor

Actually it was a test for customer, but customer will use NOT have the clients and firewall in the same subnet. 

So, this behavior is ok for the project. 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events