Checkpoint Firewall: How to configure SSL Inspection Feature on Checkpoint Firewall.

1.Overview

SSL Inspection Policy page lets you enable and configure SSL inspection. When you turn on this setting, you allow different Software Blades that support SSL inspection to inspect traffic that is encrypted by the Secure Sockets Layer (SSL) protocol. To allow the gateway to inspect the secured connections, all hosts behind the gateway must install the gateway CA certificate.

Software Blades that support SSL traffic inspection:

  • Application & URL Filtering
  • IPS
  • Anti-Virus
  • Anti-Bot
  • Threat Emulation

This article will guide you how to configure SSL Inspection, install a CA certificate on the endpoint and bypass the traffic you trust from the SSL Inspection feature’s.

2. Instructions

Step 1: Enable SSL Inspection.

On the administrative interface of Checkpoint Firewall > Access Policy > SSL Inspection >Policy.

Click ON SSL traffic inspection to enable this feature.

Protocols to inspect select HTTPS.

Next, click Download CA Certificate to download the CA Certificate.

Step 2: Install CA Certificate.

On the endpoint (Laptop, Desktop,…) in the LAN of Checkpoint Firewall. Press the Windows + R. Type “mmc” to add the CA Certificate to the Trust Root Certificate Authorities.

Click File > Add/Remove Snap-in..

Select the Certificates item in the Available snap-in table and click Add.

Choose Computer Account > Next.

Choose Local computer > Finish.

Next, open Certificates (Local Computer) > Trusted Root Certification Authorities > Certificate > Right click > All task > Import.

Click Next > Browse to select the CA Certificate file downloaded in step 1.

Choose Ca.crt file > Open.

Click Next > choose Place all certificates in the following store is “Trusted Root Certification Authorities”. Click Next.

Finally select Finish. The message “The import was successful” you have successfully added the CA certificate.

Step 3: Configure Bypass the traffic from SSL Inspection.

You go to Log and Monitoring > Log > Security Logs. You will see that all traffic is HTTPS Inspect.

Most websites are still accessible with this feature like facebook.com.

But there are also websites that cannot be accessed if this SSL Inspection feature is enabled like chat.zalo.me.

To bypass web chat.zalo.me from SSL Inspection you need to add this website URL in the Exceptions section.

In SSL Inspection > Exceptions > New.

Enter the following parameters:

Source: LAN Network

Destination: Internet

Service: HTTPS

Category/Custom Application: Select New > URL.

Enter URL “chat.zalo.me”. CLick Apply.

Click Apply.

Visit the chat.zalo.me website again, you can access the website normal.

Check the Logs on Checkpoint, you will see that the chat.zalo.me web log has been Bypass.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.