https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/159899#M28131 <P>First of all, an HTTP proxy won't work if the HTTP that comes across it is not well formed.<BR />Beyond that, yes, you can do further limiting with App Control and/or IPS.<BR />You will probably also need HTTPS Inspection enabled as well.&nbsp;</P> Tue, 18 Oct 2022 22:29:05 GMT PhoneBoy 2022-10-18T22:29:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/159888#M28128 <P>If the firewall is configured as HTTP/HTTPS proxy, and user is using for example SSH over HTTP, does the firewall proxy this traffic?</P><P>&nbsp;</P> Tue, 18 Oct 2022 20:03:07 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/159888#M28128 dianammar 2022-10-18T20:03:07Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/159893#M28129 <P>While we support being configured as an (explicit) HTTP/HTTPS proxy, it's not a configuration we generally recommend.<BR />Performance characteristics of proxy mode are substantially different and recommend you work with your Check Point SE to ensure your gateways are appropriately sized for such a configuration.</P> <P>To answer your specific question, it entirely depends on how the SSH traffic is being tunneled as to whether it will be detected or not.<BR />It also depends on whether you've enabled IPS and have the SSH over Non-Standard Port signature enabled (how such behavior is typically detected).</P> Tue, 18 Oct 2022 20:14:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/159893#M28129 PhoneBoy 2022-10-18T20:14:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/159894#M28130 <P>So in general, can we limit any other protocols so they don't be passed by the proxy if they run over HTTP or HTTPS?</P><P>&nbsp;</P> Tue, 18 Oct 2022 20:25:04 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/159894#M28130 dianammar 2022-10-18T20:25:04Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/159899#M28131 <P>First of all, an HTTP proxy won't work if the HTTP that comes across it is not well formed.<BR />Beyond that, yes, you can do further limiting with App Control and/or IPS.<BR />You will probably also need HTTPS Inspection enabled as well.&nbsp;</P> Tue, 18 Oct 2022 22:29:05 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/159899#M28131 PhoneBoy 2022-10-18T22:29:05Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/159902#M28132 <P>Yes, note protocol signatures may also be something to explore here e.g.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="proto sig.png" style="width: 609px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/18163iF05D091916E3CB20/image-size/large?v=v2&amp;px=999" role="button" title="proto sig.png" alt="proto sig.png" /></span></P> Wed, 19 Oct 2022 01:08:16 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/159902#M28132 Chris_Atkinson 2022-10-19T01:08:16Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/160078#M28177 <P>On your case, would it be possible to consider using SSH DPI ?&nbsp; &nbsp;<BR /><BR /><A href="https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/Topics-TPG/Using-SSH-Inspection.htm?Highlight=ssh%20inspection%20" target="_blank">https://sc1.checkpoint.com/documents/R81.10/WebAdminGuides/EN/CP_R81.10_ThreatPrevention_AdminGuide/Topics-TPG/Using-SSH-Inspection.htm?Highlight=ssh%20inspection%20</A><BR /><BR /><BR /></P> Thu, 20 Oct 2022 16:22:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/160078#M28177 rrbranco 2022-10-20T16:22:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/160266#M28227 <P>Thanks everyone. We might consider SSH DPI for SSH traffic as well as inforcing policies with App control</P> Mon, 24 Oct 2022 15:34:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Gateway-as-HTTP-HTTPS-proxy/m-p/160266#M28227 dianammar 2022-10-24T15:34:55Z