topic Re: HTTPS Inspection for Proxy environment in Firewall and Security Management

HTTPS Inspection for Proxy environment

kulwinder_barhe — Fri, 27 Sep 2019 18:02:03 GMT

What are the minimum hardware requirements and support for HTTPS Inspection. I have a client with 2200 hardware and 77.20 firmware. Any specific Pros and Cons I need to know as my client is having 2 web servers in proxy environment and lot of issues when we are enabling this feature. Do I need to upgrade firmware ?

Thank you

Re: HTTPS Inspection for Proxy environment

FedericoMeiners — Sat, 28 Sep 2019 06:22:41 GMT

Hello,

Both your appliance and OS version are quite old:

The 2200 appliance has support until 2022 but the hardware is probably outdated for today requirements. If you are going to keep using this I strongly advise to add more RAM to it if possible.
R77.20 is totally outdated, it doesn't have support since August 2017. Supported versions are R80.10, R80.20 and R80.30. All three of them have MANY improvements to SSL Inspection. If it's a stand alone deployment then you will not be able to upgrade to these versions.

Another point to check if how many blades do you have enabled and throughput. Last but not last if you have the management server inside your 2200 (Stand alone deployment) I hardly doubt that you have resources to enable SSL Inspection.

You can refer to my post which has some tips in how to implement SSL Inspection: Outbound SSL Inspection: A war story

To summarize:

Check current CPU and memory utilization with SmartView Monitor, output from top and free -m. If CPU is average %45 or you have spikes and/or you are swapping memory then it's a bad idea.
Check active blades and current throughput and compare it with the 2200 datasheet
Use R80.XX - You cannot do this if you have the management on the same appliance.

Hope it helps

Re: HTTPS Inspection for Proxy environment

FedericoMeiners — Sat, 28 Sep 2019 15:54:57 GMT

@kulwinder_barhe

My previous post with a lot of more detail was tagged as spam, until it is recovered here is my advise:

HTTPS Inspection is really resource intensive.
Appliance 2200 is old, you will probably need to add more RAM for SSL Inspection (Check with free -m / top / Smartview Monitor).
R77.20 is out of support since 2017, you will need R80.10 / R80.20 / R80.30.
R80.XX comes with tons of improvements for SSL Inspection.
If you have a stand alone deployment (Management + GW in the same box) then you cannot upgrade to R80.XX. You will need to separate them (Distributed deployment)
Reffer to my post Outbound SSL Inspection: A war story for advises on deploying HTTPS Inspection.

Hope it helps

___

Re: HTTPS Inspection for Proxy environment

PhoneBoy — Sat, 28 Sep 2019 20:55:09 GMT

Not sure why this was flagged as spam, but is not now.

Re: HTTPS Inspection for Proxy environment

PhoneBoy — Sat, 28 Sep 2019 21:04:09 GMT

If you want to run HTTPS Inspection, you really need to be running on the latest release (R80.30).
If your 2200 has 4GB, you can do that, assuming Security Management is on a different appliance.
Even so, the 2200 has fairly limited CPU and HTTPS Inspection makes extensive use of it.
I would strongly consider replacing the 2200 with a newer, stronger appliance.

Re: HTTPS Inspection for Proxy environment

kulwinder_barhe — Mon, 30 Sep 2019 14:47:19 GMT

Thank you !