https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276516#M105247 <P>Hi community,</P><P>I’m running into an issue with HTTPS Inspection and would appreciate your insights.</P><P>I’ve configured HTTPS Inspection to the best of my knowledge:</P><P>* HTTPS Inspection is enabled on the firewall<BR />* There is an outbound rule with the action set to **Inspect**<BR />* The inspection certificate is properly installed on the client</P><P>However, inspection is never actually triggered. All traffic is consistently marked as **Bypass**, with the reason: *“Inspection is not required.”*</P><P>Has anyone encountered this behavior before or knows what could cause this? Are there specific conditions, rulebase settings, or blade interactions that might lead to traffic being skipped with this message?<BR /><BR />It's an Open server with R82 Take 91.</P><P>Thanks in advance!<BR /><BR />Niko</P> Tue, 05 May 2026 15:36:08 GMT Nikolas135096 2026-05-05T15:36:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276516#M105247 <P>Hi community,</P><P>I’m running into an issue with HTTPS Inspection and would appreciate your insights.</P><P>I’ve configured HTTPS Inspection to the best of my knowledge:</P><P>* HTTPS Inspection is enabled on the firewall<BR />* There is an outbound rule with the action set to **Inspect**<BR />* The inspection certificate is properly installed on the client</P><P>However, inspection is never actually triggered. All traffic is consistently marked as **Bypass**, with the reason: *“Inspection is not required.”*</P><P>Has anyone encountered this behavior before or knows what could cause this? Are there specific conditions, rulebase settings, or blade interactions that might lead to traffic being skipped with this message?<BR /><BR />It's an Open server with R82 Take 91.</P><P>Thanks in advance!<BR /><BR />Niko</P> Tue, 05 May 2026 15:36:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276516#M105247 Nikolas135096 2026-05-05T15:36:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276525#M105249 <P>Most likely, this is going to require a TAC case.<BR />I've never seen this message myself and don't see it mentioned in any TAC cases.</P> Tue, 05 May 2026 16:42:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276525#M105249 PhoneBoy 2026-05-05T16:42:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276526#M105250 <P>Never seen it either...</P> Tue, 05 May 2026 16:57:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276526#M105250 the_rock 2026-05-05T16:57:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276561#M105254 <P>Thanks a lot for your fast replies. I'll open a TAC case.</P> Wed, 06 May 2026 07:38:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276561#M105254 Nikolas135096 2026-05-06T07:38:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276576#M105256 <P>Let us know how it goes.</P> Wed, 06 May 2026 11:33:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276576#M105256 the_rock 2026-05-06T11:33:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276594#M105257 <P>Do you have a rule which needs to see inside the traffic? For example, are you applying AV scanning?</P> <P>HTTPS Inspection isn't an end in itself. It's a feature to allow other inspection to work. If there's no other inspection which depends on it, maybe the firewall doesn't insert itself into the TLS negotiation because inspection is not required.</P> Wed, 06 May 2026 14:22:51 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276594#M105257 Bob_Zimmerman 2026-05-06T14:22:51Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276598#M105258 <P>I just ran your screenshot through chatgpt and below iw aht it gave me. Not sure if you can double check these points:</P> <P>*****************************</P> <P>&nbsp;</P> <P data-end="155" data-start="0">This screenshot is from a Check Point log (likely SmartLog / SmartConsole), and it’s showing how a specific connection was handled by your security policy.</P> <P data-end="186" data-start="157">Here’s what each field means:</P> <P data-end="212" data-start="188"><STRONG data-end="212" data-start="188">Action: HTTPS Bypass</STRONG></P> <UL data-end="360" data-start="213"> <LI data-end="277" data-start="213" data-section-id="1huxr67">The traffic matched a rule that <STRONG data-end="276" data-start="247">bypasses HTTPS inspection</STRONG>.</LI> <LI data-end="360" data-start="278" data-section-id="1wgdp1p">In plain terms: the firewall <STRONG data-end="359" data-start="309">did NOT decrypt or inspect the SSL/TLS traffic</STRONG>.</LI> </UL> <P data-end="407" data-start="362"><STRONG data-end="407" data-start="362">Action Reason: Inspection is not Required</STRONG></P> <UL data-end="556" data-start="408"> <LI data-end="446" data-start="408" data-section-id="j7mblt">This explains <EM data-end="429" data-start="424">why</EM> it was bypassed.</LI> <LI data-end="556" data-start="447" data-section-id="17nrylg">The policy determined that this connection is <STRONG data-end="518" data-start="495">trusted or excluded</STRONG>, so deep inspection wasn’t necessary.</LI> </UL> <P data-end="591" data-start="558"><STRONG data-end="591" data-start="558">Policy Management: NK-CP-MGMT</STRONG></P> <UL data-end="651" data-start="592"> <LI data-end="651" data-start="592" data-section-id="4b80be">This is the <STRONG data-end="627" data-start="606">management server</STRONG> that pushed the policy.</LI> </UL> <P data-end="687" data-start="653"><STRONG data-end="687" data-start="653">Policy Name: IDAwarenessPolicy</STRONG></P> <UL data-end="828" data-start="688"> <LI data-end="762" data-start="688" data-section-id="1tmtk84">The connection matched a rule inside your <STRONG data-end="761" data-start="732">Identity Awareness policy</STRONG>.</LI> <LI data-end="828" data-start="763" data-section-id="1ga9g83">Likely tied to user/group-based rules rather than just IP/port.</LI> </UL> <P data-end="866" data-start="830"><STRONG data-end="866" data-start="830">Policy Date: Yesterday, 16:51:30</STRONG></P> <UL data-end="945" data-start="867"> <LI data-end="945" data-start="867" data-section-id="1pokg5s">Timestamp of when the policy currently installed on the gateway was applied.</LI> </UL> <HR data-end="950" data-start="947" /> <H3 data-end="979" data-start="952" data-section-id="18mtqz5">What this means overall</H3> <P data-end="1024" data-start="980">Traffic matched a rule that explicitly says:</P> <BLOCKQUOTE data-end="1072" data-start="1025"> <P data-end="1072" data-start="1027">“Allow HTTPS traffic without SSL inspection.”</P> </BLOCKQUOTE> <P data-end="1100" data-start="1074">This is commonly done for:</P> <UL data-end="1247" data-start="1101"> <LI data-end="1145" data-start="1101" data-section-id="nrew9t">Trusted domains (banking, Microsoft, etc.)</LI> <LI data-end="1173" data-start="1146" data-section-id="7wyl36">Privacy-sensitive traffic</LI> <LI data-end="1220" data-start="1174" data-section-id="hyus19">Applications that break under SSL inspection</LI> <LI data-end="1247" data-start="1221" data-section-id="itb3bl">Performance optimization</LI> </UL> <HR data-end="1252" data-start="1249" /> <H3 data-end="1274" data-start="1254" data-section-id="1dz3o8e">Why this matters</H3> <P data-end="1299" data-start="1275">Because it was bypassed:</P> <UL data-end="1449" data-start="1300"> <LI data-end="1330" data-start="1300" data-section-id="fanz43">No SSL decryption happened</LI> <LI data-end="1389" data-start="1331" data-section-id="uf9uk0">No deep threat inspection inside the encrypted payload</LI> <LI data-end="1449" data-start="1390" data-section-id="ohro9p">Only basic inspection (IP, port, SNI, etc.) was applied</LI> </UL> <HR data-end="1454" data-start="1451" /> <H3 data-end="1485" data-start="1456" data-section-id="ogk6n0">If you’re troubleshooting</H3> <P data-end="1505" data-start="1486">This log tells you:</P> <UL data-end="1653" data-start="1506"> <LI data-end="1576" data-start="1506" data-section-id="1dmq14q">If you expected HTTPS inspection → <STRONG data-end="1576" data-start="1543">your rulebase is bypassing it</STRONG></LI> <LI data-end="1653" data-start="1577" data-section-id="1bvk5ea">If something is being missed (e.g., malware detection) → this could be why</LI> </UL> Wed, 06 May 2026 14:44:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276598#M105258 the_rock 2026-05-06T14:44:29Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276701#M105288 <P>You're absolutely right. As soon as I enabled Threat Prevention, the traffic was inspected. Thank you very much!</P><P>Interestingly, even the support team hadn't seen that message before.</P> Fri, 08 May 2026 11:31:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-is-always-bypassed-quot-Inspection-is-not/m-p/276701#M105288 Nikolas135096 2026-05-08T11:31:08Z