CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 3 of 3

Thread: SSL bypass/inspection with a commercial certificate.

  1. #1
    Join Date
    Rep Power

    Default SSL bypass/inspection with a commercial certificate.

    Hi everyone,

    I have an issue that I work around all the day, a client have an IIS 7.0 web server with a installed commercial valid ssl certificate signed by Digicert, the goal is to publish the server with this certificate, but when people look over the server on the internet them sees the CPGW self signed ssl certificate, what I try is to bypass the source and destination ip address object on the https inspection policy and I try to import the certificate into the CPGW and inspect the traffic but the same result in booth options, the CPGW is showing the self signed certificate. Any suggestions are welcomed.

    General info:

    Distributed environment.
    Two Checkpoints Firewalls on cluster using local.arp file.
    One Virtual Machine with Management.
    The web server is in a DMZ interface on the CPGW, in the topology the interface is defined as internal.
    Firmware R77.20 with Jumbo Hotfix T124 on all appliances.

  2. #2
    Join Date
    Rep Power

    Default Re: SSL bypass/inspection with a commercial certificate.

    If any one find's this thread useful, the solution to my question is to configure the rule to bypass an object of the public ip address of the server, not the internal, this firewall is configured to make a manual arp configuration (local.arp).

  3. #3
    Join Date
    Gig Harbor, WA, USA
    Rep Power

    Default Re: SSL bypass/inspection with a commercial certificate.

    The way to solve this while doing HTTPS Inspection (not in bypass) is to import your server certificate in the HTTPS Inspection Policy.
    This is done in HTTPS Inspection > Server Certificates.
    You'll need the private key.
    Then you can create a rule in your HTTPS Inspection policy like: any your-webserver https inspect yourcertificate
    It's that last field in the rule that tells the gateway to offer your server certificate rather than a certificate signed by the internal CA.
    Unless otherwise noted, views expressed are my own

Similar Threads

  1. HTTPS bypass
    By aweldon in forum Application Control Blade
    Replies: 12
    Last Post: 2015-02-24, 19:03
  2. HTTPS Inspection-Certificate Question
    By bbhw3 in forum R75.40 (GAiA)
    Replies: 2
    Last Post: 2014-04-24, 12:45
  3. Bypass
    By jes123 in forum Services (TCP, UDP, ICMP, etc.)
    Replies: 1
    Last Post: 2012-08-24, 09:12
  4. bypass SmartDefence
    By Bikky in forum IPS Blade (Formerly SmartDefense)
    Replies: 1
    Last Post: 2007-01-23, 08:51
  5. Protocol inspection, how deep the inspection?
    By blackberry in forum Content Security/Security Servers/CVP/UFP
    Replies: 1
    Last Post: 2006-07-14, 05:17

Tags for this Thread


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts