Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
RoD
Contributor

HTTPS Inspection and P-521 certificate

Hi,

I have question about site-to-site VPN with P-521 ECC encryption and HTTPS Inspection.

It it possible to have two certificate for HTTPS Inspection,

one RSA 2048 certificate for website and second P-521 ECC certificate for site-to-site VPN ?

Thanks

0 Kudos
7 Replies
Wolfgang
Leader
Leader

For HTTPS inspection you need a SUB-CA installed on your gateway not only a certificate.

These SUB-CA and the certificate for Site2Site VPN is configured and stored at different places. Following this you don't need to have one for both feature.

certificate for VPN:

VPN_cert.png

SUB-CA for HTTPS-inspection:

HTTPS_inspection.png

Wolfgang

0 Kudos
RoD
Contributor

Thank you for your post, sorry if I didn't ask the question well.

I understood it well RSA 2048 certificate and P-521 ECC certificate they are not compatible ?

HTTPS Inspection using for inspection website only RSA 2048 certificate or RSA 4096 certificate ?

My question is regarding HTTPS Inspection site-to-site VPN with preshared key and with P-521 ECC as encryption ?

0 Kudos
Wolfgang
Leader
Leader

I believe you should explain more detailed what do you want to do.

As I wrote and @PhoneBoy mentioned, HTTPS inspection and site2site VPN are different things and both are using different certificates.

RoD, more information about your need would be very helpful to give you the right answers.

Wolfgang

0 Kudos
PhoneBoy
Admin
Admin

The certificates used for Site-to-Site VPN and HTTPS Inspection have absolutely nothing to do with each other.
They are completely independent of each other and configured in different places in the UI.

P-521 support is in R80.30.
Believe it is also in R80.20 with a recent Jumbo Hotfix.
If you are on an earlier release, you will need to upgrade.
0 Kudos
RoD
Contributor

Thank you Wolfgang and PhoneBoy for yours help.  😀

I have one laptops that have Site-to-Site VPN to one data center in Germany,
and this connection will go through 3100 or 3600 firewall.

My original plan was that 3100 firewall inspect this Site-to-Site VPN with HTTPS Inspection.

I think that is better that 3100 firewall create Site-to-Site VPN to this data center in Germany,

0 Kudos
Wolfgang
Leader
Leader

RoD,

I think you are mixing some of the technologies.

laptop with site2site VPN ? sounds like more then a remote access VPN.

You can‘t inspect an IPSEC-Tunnel with HTTPS inspection.  But you can inspect the traffic coming through the tunnel on one of the endpoints of the tunnel. If these traffic will be HTTPS you can inspect with HTTPS inspection.

Wolfgang

0 Kudos
RoD
Contributor

I forgot to add my laptop with my old hardware firewall,

I decided that all my site-to-site VPN go from new Check Point firewall 

Thanks

0 Kudos