https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Limiting-Traffic-to-prevent-Remote-access/m-p/163286#M29144 <P>Hi all,<BR /><BR />My question is similar to "<A href="https://community.checkpoint.com/t5/Security-Gateways/Gateway-as-HTTP-HTTPS-proxy/m-p/159888#M28128&quot;" target="_blank" rel="noopener">https://community.checkpoint.com/t5/Security-Gateways/Gateway-as-HTTP-HTTPS-proxy/m-p/159888#M28128"</A><BR /><BR />We want to setup an Internet facing Cluster to replace a non-transparent (HTTP/HTTPS) Proxy . We do NOT want to use the "non-transparent Proxy feature ( for many reasons, also mentioned in the other post) ! Should be a transparent forcing gateway/cluster.</P><P>Currently we do not have any&nbsp; possibility for a setup to test this requirement.</P><P><SPAN class=""><SPAN class=""><SPAN class="">One of these rules there at the current proxy is that e.g. MS RDP or Citrix protocol (or another remote access protocol, also SSH) are recognized (if tunneling via HTTPS) and thus these types of connections were rejected.</SPAN></SPAN></SPAN></P><P>We want to implement a rulebase to do the same at the CheckPoint R81.10 cluster.</P><P>What is required to do this?</P><P><SPAN class=""><SPAN class=""><SPAN class="">It's obvious that HTTPS inspection needs to be turned on</SPAN></SPAN></SPAN>.</P><P>a) Do we have to enable "protocol signature" for HTTPS&nbsp; and/or HTTP as a prerequisite ?</P><P>b) Could one approach be to use applications like "Microsoft Remote Desktop Connection","Citrix" or "SSH"&nbsp; before any other HTTPS/HTTP allow rule to recognize and drop these applications ? Or is another step required: e.g. "drop non-Compliant HTTP" ?<BR /><BR />Appreciate any suggestions or ideas!<BR /><BR />Thanks<BR />Martin</P> Sun, 27 Nov 2022 15:51:59 GMT Martin_Hofbauer 2022-11-27T15:51:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Limiting-Traffic-to-prevent-Remote-access/m-p/163286#M29144 <P>Hi all,<BR /><BR />My question is similar to "<A href="https://community.checkpoint.com/t5/Security-Gateways/Gateway-as-HTTP-HTTPS-proxy/m-p/159888#M28128&quot;" target="_blank" rel="noopener">https://community.checkpoint.com/t5/Security-Gateways/Gateway-as-HTTP-HTTPS-proxy/m-p/159888#M28128"</A><BR /><BR />We want to setup an Internet facing Cluster to replace a non-transparent (HTTP/HTTPS) Proxy . We do NOT want to use the "non-transparent Proxy feature ( for many reasons, also mentioned in the other post) ! Should be a transparent forcing gateway/cluster.</P><P>Currently we do not have any&nbsp; possibility for a setup to test this requirement.</P><P><SPAN class=""><SPAN class=""><SPAN class="">One of these rules there at the current proxy is that e.g. MS RDP or Citrix protocol (or another remote access protocol, also SSH) are recognized (if tunneling via HTTPS) and thus these types of connections were rejected.</SPAN></SPAN></SPAN></P><P>We want to implement a rulebase to do the same at the CheckPoint R81.10 cluster.</P><P>What is required to do this?</P><P><SPAN class=""><SPAN class=""><SPAN class="">It's obvious that HTTPS inspection needs to be turned on</SPAN></SPAN></SPAN>.</P><P>a) Do we have to enable "protocol signature" for HTTPS&nbsp; and/or HTTP as a prerequisite ?</P><P>b) Could one approach be to use applications like "Microsoft Remote Desktop Connection","Citrix" or "SSH"&nbsp; before any other HTTPS/HTTP allow rule to recognize and drop these applications ? Or is another step required: e.g. "drop non-Compliant HTTP" ?<BR /><BR />Appreciate any suggestions or ideas!<BR /><BR />Thanks<BR />Martin</P> Sun, 27 Nov 2022 15:51:59 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Limiting-Traffic-to-prevent-Remote-access/m-p/163286#M29144 Martin_Hofbauer 2022-11-27T15:51:59Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Limiting-Traffic-to-prevent-Remote-access/m-p/163317#M29145 <P>Why are you posting to the AppSec category? This seems to be HTTPSi question for regular security GWs.</P> Mon, 28 Nov 2022 08:15:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Limiting-Traffic-to-prevent-Remote-access/m-p/163317#M29145 _Val_ 2022-11-28T08:15:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Limiting-Traffic-to-prevent-Remote-access/m-p/163496#M29199 <P>Because this is a "Application Security" (...) question ... - <SPAN class=""><SPAN class=""><SPAN class="">as I (unfortunately incorrectly) assumed that this is the category for GW application security<BR /></SPAN></SPAN></SPAN>&nbsp;I never worked with "AppSec"&nbsp;&nbsp; -&nbsp; this name is another example of a limited talent of your company choosing meaningfull names for products (look at the history of endless number for&nbsp; names for a VPN client ...)<BR /><BR />Thanks for moving to the right category- still waiting for an answer ....</P> Tue, 29 Nov 2022 10:04:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Limiting-Traffic-to-prevent-Remote-access/m-p/163496#M29199 Martin_Hofbauer 2022-11-29T10:04:08Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Limiting-Traffic-to-prevent-Remote-access/m-p/163513#M29208 <P><A href="https://community.checkpoint.com/t5/Management/Enable-Protocol-Signature-by-default/m-p/139285/highlight/true#M29469" target="_blank">Solved: Re: Enable Protocol Signature by default - Check Point CheckMates</A></P> Tue, 29 Nov 2022 10:41:29 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Limiting-Traffic-to-prevent-Remote-access/m-p/163513#M29208 Alex- 2022-11-29T10:41:29Z