SSL Inspection Policy page lets you enable and configure SSL inspection. When you turn on this setting, you allow different Software Blades that support SSL inspection to inspect traffic that is encrypted by the Secure Sockets Layer (SSL) protocol. To allow the gateway to inspect the secured connections, all hosts behind the gateway must install the gateway CA certificate.
Software Blades that support SSL traffic inspection:
- Application & URL Filtering
- Threat Emulation
This article will guide you how to configure SSL Inspection, install a CA certificate on the endpoint and bypass the traffic you trust from the SSL Inspection feature’s.
Step 1: Enable SSL Inspection.
On the administrative interface of Checkpoint Firewall > Access Policy > SSL Inspection >Policy.
Click ON SSL traffic inspection to enable this feature.
Protocols to inspect select HTTPS.
Next, click Download CA Certificate to download the CA Certificate.
Step 2: Install CA Certificate.
On the endpoint (Laptop, Desktop,…) in the LAN of Checkpoint Firewall. Press the Windows + R. Type “mmc” to add the CA Certificate to the Trust Root Certificate Authorities.
Click File > Add/Remove Snap-in..
Select the Certificates item in the Available snap-in table and click Add.
Choose Computer Account > Next.
Choose Local computer > Finish.
Next, open Certificates (Local Computer) > Trusted Root Certification Authorities > Certificate > Right click > All task > Import.
Click Next > Browse to select the CA Certificate file downloaded in step 1.
Choose Ca.crt file > Open.
Click Next > choose Place all certificates in the following store is “Trusted Root Certification Authorities”. Click Next.
Finally select Finish. The message “The import was successful” you have successfully added the CA certificate.
Step 3: Configure Bypass the traffic from SSL Inspection.
You go to Log and Monitoring > Log > Security Logs. You will see that all traffic is HTTPS Inspect.
Most websites are still accessible with this feature like facebook.com.
But there are also websites that cannot be accessed if this SSL Inspection feature is enabled like chat.zalo.me.
To bypass web chat.zalo.me from SSL Inspection you need to add this website URL in the Exceptions section.
In SSL Inspection > Exceptions > New.
Enter the following parameters:
Source: LAN Network
Category/Custom Application: Select New > URL.
Enter URL “chat.zalo.me”. CLick Apply.
Visit the chat.zalo.me website again, you can access the website normal.
Check the Logs on Checkpoint, you will see that the chat.zalo.me web log has been Bypass.