Forum Discussion

Naoki's avatar
Naoki
Comet
19 days ago
Solved

Is It Okay to Apply Double TLS Inspection?

I am considering connecting a Cato PoP and an on-premises firewall via IPSec while applying TLS Inspection on both sides. Could this setup cause any issues with communication functionality? Some sec...
security
  • peter's avatar
    peter
    19 days ago

    Hello Naoki-san,

    In this scenario, whenever Cato inspects a session, the on-prem firewall will see the Cato certificate presented from the server side. As long as it is configured to trust this cert then there should be no problem. If it can't be configured to trust the Cato cert then the fallback option would be to disable certificate validation in the on-prem firewall, but this is probably not a good idea.

bizzle90's avatar
bizzle90
Icon for Cato Employee rankCato Employee
19 days ago

Hey Naoki,

Thanks for the question.

From my perspective, there should not be an issue, simply because with the ISPEC tunnel, you already have the traffic encrypted with the respective encapsulation protocol (depending on whether you're using ESP or AH, of course). I can't say from the FW perspective, but on the PoP, the leg of the IPSEC tunnel terminates at the PoP, meaning the traffic will then be de-encapsulated from the respective headers/payload at the PoP before it ingresses the Cato SPACE architecture to be analyzed. So the IP header with the TLS payload can be analyzed by the TLS inspection engine.

Just a quick screenshot from my lab, where I have my test IPSEC site (to my colleagues network configured):

If I were to add logically, from the on-prem FW perspective, it should do the same thing regarding TLS on the termination of the IPSEC leg regarding the encapsulation of the headers. Maybe you can confirm this with the respective vendor.

I hope the above helps.

 

Naoki's avatar
Naoki
Comet
18 days ago

Hi bizzle90,
I understand that after IPsec decryption at the Cato PoP, TLS inspection takes place.
I will look into whether the same behavior occurs on an on-premises firewall as well.
Thank you.
Regards,