Support Center > Search Results > SecureKnowledge Details
Check Point or Windows signatures update fails when HTTPS Inspection enabled on Security Gateway Technical Level
Symptoms
  • Check Point signatures update fails when HTTPS Inspection is enabled on Security Gateway.

  • Connection attempt to Check Point server over HTTPS with curl command fails:

    #curl https://updates.checkpoint.com/WebService/services/DownloadMetaDataService
    curl: (60) SSL certificate problem, verify that the CA cert is OK.
    Details:
    error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
    More details here: http://curl.haxx.se/docs/sslcerts.html


  • Connection attempt to Check Point server over HTTPS with curl --insecure command succeeds.
Solution

Follow these steps:

  1. Connect with SmartDashboard to Security Management Server / Domain Management Server.

  2. Go to 'Application & URL Filtering' tab. (In R80.10, go to 'Manage & Settings > Blades > HTTPS Inspection'. )

  3. Expand 'Advanced'.

  4. Expand 'HTTPS Inspection'.

  5. Click on 'Policy'.

  6. At the bottom of the page, check the box 'Bypass HTTPS inspection of traffic to well known software update services (list is dynamically updated)'.



    Important: This checkbox is located in a different place starting from R80.40. This setting is “on by default”, and the issue described in this article may occur, if someone turns it "off".

  7. Save the changes: go to 'File' menu - click on 'Save'.

  8. Install the policy onto the relevant Security Gateway / Cluster object.

 

HTTPS Inspection Bypass List

When "Bypass HTTPS inspection of traffic to well-known software update services" is enabled, the update services listed below (this is the canonical list) will be bypassed. As the domains for these services may change, the links to these update services are dynamically updated on the Security Gateway:

  • Check Point updates
  • Microsoft updates
  • VMware updates
  • Mozilla updates
  • Java updates
  • Adobe updates

 

Related solutions:

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment