- CheckMates
- :
- Products
- :
- Quantum
- :
- SMB Gateways (Spark)
- :
- Re: Inbound HTTPS Inpsection
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Are you a member of CheckMates?
×- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Inbound HTTPS Inpsection
Any of you guys managed to configure inbound HTTPS Inspection on R77.20?
I want to do it between two internal hosts and I seem to miserably fail to achieve it 😁
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi,
I am guessing, that you are asking for SMB appliances.
If the device is localy managed, than it is not supported. If it is centraly managed, than it is suppored.
More details you can find on bellow link.
Regards,
Mario
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Update to R80.30!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
These cannot be upgraded to R80.30.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanx for your comments guys. I forgot to mention I am asking about centrally managed 1470 appliance. I know it is supported, I just want someone that actually did it and can confirm it works.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
It works fine from external hosts to internal.
I had many issues with internal to internal inspection. It seems besides presenting the server certificate the gateway also tried to generated an outbound certificate, doing a double inspection or something like this.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thanx Pedro, that confirms my observations. Unfortunately I have Nginx that serves few internal host so inspection before it is not possible.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
For that to work, I think the interface that connects to the NGINX would have to be configured as external.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
INTERNET --> CPFW --> NGINX --> WEB 1 .. N
Each WEB server has its own certificate.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
What about using wildcard certificates or multiple alternate names?
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Not an option unfortunately. And I am not sure it is supported on SMB.
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Then I guess you'll need to have NGINX in a separate network defined as EXTERNAL and do this:
INTERNET --> CPFW --> NGINX --> CPFW (SSL inspection) --> WEB 1 .. N
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yeah, that seems to be the only option for the time being. Thanx for giving that idea.