SSL Inspection
Setting the HTTPS Inspection Level
Before you set the SSL inspection level, make sure you have installed the SSL certificate. See sk179817.
To set the HTTPS Inspection level:
- Click Policy > SSL Inspection.
-
Deploy the Check Point Certificate in your branch office. From the Select Inspection Level list, select one:
-
Basic Inspection
-
Full Inspection
-
-
From the Exceptions list, select the exceptions:
-
Categories
-
URL Lists
-
Network Lists
-
In the Activate full inspection field, select where to apply the full HTTPS Inspection Feature on a Security Gateway that inspects traffic encrypted by the Secure Sockets Layer (SSL) protocol for malware or suspicious patterns. Synonym: SSL Inspection. Acronyms: HTTPSI, HTTPSi..
-
Click Install Policy.
Best Practice - Enable Full HTTPS inspection and create exceptions for privacy-related websites with an option of gradual deployment. |
Updatable Objects
An updatable object is a network object which represents an external service. For example:
-
Online services - Office 365, Azure, and AWS
-
GEO locations - The GEO database provides mapping of location data to IP addresses. For each location, there is a network object you can import. You can block or allow access to and from specific locations based on their IP addresses.
External services providers publish lists of IP addresses or Domains or both to allow access to their services. These lists are dynamically updated. Updatable objects derive their contents from these published lists of the providers, which Check Point uploads to the Check Point cloud An administrator approved Harmony Connect cloud location that processes the internet and corporate traffic.. The updatable objects are updated automatically each time the provider changes a list. There is no need to install policy for the updates to take effect.
You can add updatable objects:
-
To the destination in the Internet Access policy.
-
As an exception to the Full Inspection. For more information see SSL Inspection
Downloading the Full Inspection Certificate
To download the active full inspection certificate:
- Click Policy > SSL Inspection.
-
Under Download Full Inspection Certificate, click Download Certificate.
The system downloads the certificate.
Managing Certificates
You can generate, upload, set a certificate as active, download and delete certificates.
To manage certificates:
- Click Policy > SSL Inspection.
-
Under Download Full Inspection Certificate, click Manage Certificates.
The Manage Certificates window appears.
-
To generate a new Check Point certificate:
-
Click New.
-
In the Enter Certificate name field, enter a name for the certificate.
-
Click Generate certificate.
The certificate is added to the table.
-
-
To upload a certificate:
-
Click Upload.
A window appears.
-
Click Select File and select the file.
-
In the Private key password field, enter the private key password.
-
In the Enter Certificate name field, enter a name for the certificate.
-
Click Add.
The certificate is added to the table.
-
-
To set a certificate as active:
Warning - Before you set a certificate as active, ensure that you have distributed the certificate to all the user computers.
-
Select the certificate in the table that is not active.
Note - You can set only one certificate as active.
-
Click Set as active
A warning message appears.
-
Select the I have distributed this certificate, let's continue checkbox.
-
Click Set as Active.
The system take a while to set the certificate as active. When the system sets the certificate as active, it displays the new active certificate under Download Full Inspection Certificate.
-
-
To download a certificate:
-
Click Download.
The system downloads the certificate.
-
-
To delete a certificate:
Note - You cannot delete an active certificate.
-
Select the certificate in the table that is not active.
-
Click Delete.
The certificate is deleted from the table.
-