I am considering connecting a Cato PoP and an on-premises firewall via IPSec while applying TLS Inspection on both sides. Could this setup cause any issues with communication functionality?Some security products do not necessarily discourage double TLS Inspection, while others may advise against it. However, I could not find any reference to this in Cato's Knowledge Base.If anyone has experience operating with a similar configuration, I would appreciate it if you could share any insights on how it works in practice and any issues to be aware of.

Hello Naoki-san,In this scenario, whenever Cato inspects a session, the on-prem firewall will see the Cato certificate presented from the server side. As long as it is configured to trust this cert then there should be no problem. If it can't be configured to trust the Cato cert then the fallback option would be to disable certificate validation in the on-prem firewall, but this is probably not a good idea.

Is It Okay to Apply Double TLS Inspection?

peter
Cato Employee
18 days ago
Hello Naoki-san,
In this scenario, whenever Cato inspects a session, the on-prem firewall will see the Cato certificate presented from the server side. As long as it is configured to trust this cert then there should be no problem. If it can't be configured to trust the Cato cert then the fallback option would be to disable certificate validation in the on-prem firewall, but this is probably not a good idea.
- Naoki
  Comet
  18 days ago
  Hi Peter,
  Thank you for your clear response.
  Theoretically, I assumed that installing the Cato certificate on the on-premises firewall would make it work, so I’m glad to confirm that our understanding aligns.
  I’m curious whether performing TLS inspection twice will lead to noticeable processing delays overall, but I’d like to test this to see the impact.
  Thank you.
  Regards,
bizzle90
Cato Employee
18 days ago
Hey Naoki,
Thanks for the question.
From my perspective, there should not be an issue, simply because with the ISPEC tunnel, you already have the traffic encrypted with the respective encapsulation protocol (depending on whether you're using ESP or AH, of course). I can't say from the FW perspective, but on the PoP, the leg of the IPSEC tunnel terminates at the PoP, meaning the traffic will then be de-encapsulated from the respective headers/payload at the PoP before it ingresses the Cato SPACE architecture to be analyzed. So the IP header with the TLS payload can be analyzed by the TLS inspection engine.
Just a quick screenshot from my lab, where I have my test IPSEC site (to my colleagues network configured):
If I were to add logically, from the on-prem FW perspective, it should do the same thing regarding TLS on the termination of the IPSEC leg regarding the encapsulation of the headers. Maybe you can confirm this with the respective vendor.
I hope the above helps.
- Naoki
  Comet
  18 days ago
  Hi bizzle90,
  I understand that after IPsec decryption at the Cato PoP, TLS inspection takes place.
  I will look into whether the same behavior occurs on an on-premises firewall as well.
  Thank you.
  Regards,

Forum Discussion

Is It Okay to Apply Double TLS Inspection?

Related Content

Re: Is "CORS Preflight Request" supported?

Re: CATO socket intermittent disconnection.

Re: Bypass Hulu Traffic?

Website Access Control on CATO

Re: bypass application

Recent Discussions

CATO socket intermittent disconnection.

"400 Bad Request" Error Occurs with Okta SSO - Unable to Log in to VPN

CATO Response Requested in KB Article Comments

Cato CMA Presets: How to edit?

CATO client vpn