Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
HristoGrigorov

Inbound HTTPS Inpsection

Any of you guys managed to configure inbound HTTPS Inspection on R77.20?

I want to do it between two internal hosts and I seem to miserably fail to achieve it 😁

12 Replies
MarioB_1
Participant

Hi,

I am guessing, that you are asking for SMB appliances.

If the device is localy managed, than it is not supported. If it is centraly managed, than it is suppored.

More details you can find on bellow link.

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

Regards,

Mario

0 Kudos
TomTom
Participant

Update to R80.30!

0 Kudos
PhoneBoy
Admin
Admin

The SMB appliances have a slightly different code base.
These cannot be upgraded to R80.30.
0 Kudos
HristoGrigorov

Thanx for your comments guys. I forgot to mention I am asking about centrally managed 1470 appliance. I know it is supported, I just want someone that actually did it and can confirm it works.

0 Kudos
Pedro_Espindola
Advisor

It works fine from external hosts to internal.

I had many issues with internal to internal inspection. It seems besides presenting the server certificate the gateway also tried to generated an outbound certificate, doing a double inspection or something like this.

HristoGrigorov

Thanx Pedro, that confirms my observations. Unfortunately I have Nginx that serves few internal host so inspection before it is not possible.

0 Kudos
Pedro_Espindola
Advisor

So traffic hits the NGINX server before going to the gateway for ssl inspection?
For that to work, I think the interface that connects to the NGINX would have to be configured as external.
0 Kudos
HristoGrigorov

INTERNET --> CPFW --> NGINX --> WEB 1 .. N

Each WEB server has its own certificate.

0 Kudos
Pedro_Espindola
Advisor

What about using wildcard certificates or multiple alternate names?

0 Kudos
HristoGrigorov

Not an option unfortunately. And I am not sure it is supported on SMB.

0 Kudos
Pedro_Espindola
Advisor

Then I guess you'll need to have NGINX in a separate network defined as EXTERNAL and do this:

INTERNET --> CPFW --> NGINX --> CPFW (SSL inspection) --> WEB 1 .. N

HristoGrigorov

Yeah, that seems to be the only option for the time being. Thanx for giving that idea.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events