topic Re: HTTPS Inspection - Performace issues at first page request / VSX in Firewall and Security Management

HTTPS Inspection - Performace issues at first page request / VSX

xiro — Mon, 28 Nov 2022 12:53:21 GMT

Hi,

we have a VSX implementation with 5 different VS, and for one of them we just enabled HTTPS-Inspection.

Unfortunately the users are complaining constantly about performance & sites that are not working properly. We have bypassed already dozens of sites, (even low/very low category), but it won't get better.

Besides sites that mitigate Inspection by design (banking), one main issue is that the first access to a page is extremely slow (e.g. apple.com). Afterwards, all other requests work fine. In older versions we had similar issues that we could fix with mechanisms like "probe bypass". But our VSX is running on 81.10, therefore probe bypass should be irrelevant (since 80.30).

The Site Categorization mode is set to "Hold", but despite changing it to "Background" (installing DB, installing VS-policy, installing VS0-policy), the changes are not having any effect on the behavior. Fail Mode is "fail-open".

The GWs are bored to death (10% CPU load during business hours).

Any ideas what else we could check or try to improve the user experience?

Re: HTTPS Inspection - Performace issues at first page request / VSX

Chris_Atkinson — Mon, 28 Nov 2022 15:22:22 GMT

Some questions for context:

Have you checked if the trusted CA list is up to date?

Check Internet access works for CRL checks?

How is the HTTPS inspection policy structured?

Which JHF is the cluster currently installed with?

Re: HTTPS Inspection - Performace issues at first page request / VSX

_Val_ — Mon, 28 Nov 2022 13:37:08 GMT

I would suggest checking internet connectivity from the VSX cluster, including VS0. Check that DNS is working, and connections from your VSX GWs to Internet are not blocked.

Re: HTTPS Inspection - Performace issues at first page request / VSX

xiro — Mon, 28 Nov 2022 15:40:24 GMT

the vsx is connected directly to the internet (nothing in between), all connections and checks are fine...

Re: HTTPS Inspection - Performace issues at first page request / VSX

xiro — Mon, 28 Nov 2022 16:31:39 GMT

- Yes, CAs are fine

- Internet access works properly, but we get CRL detect messages in the logs (details below)

- Policy is simple with a few rules: Bypass by source, destination, URL/Category, "CP-recommended services" and afterwards an "inspect any"

- R81.10 T55

Regarding CRL: We saw constant detects, mainly to Microsoft services and I tried to trace that down.

I believe that this issue is because of an error in the certificate of MS itself -> the CRL link seems to contain a space at the end, therefore CP fails to access it:

This is the issue that occurs constantly, since the service seems to be accessed by Windows constantly. Otherwise there are only a few logs due to expired certs or similar.

Re: HTTPS Inspection - Performace issues at first page request / VSX

PhoneBoy — Tue, 29 Nov 2022 01:12:05 GMT

Since we check the certificate as part of HTTPS Inspection (including the CRL), perhaps the issues with this are creating the delays?
I know you can disable CRL checking in HTTPS Inspection, which isn't necessarily recommended.

Re: HTTPS Inspection - Performace issues at first page request / VSX

_Val_ — Tue, 29 Nov 2022 09:27:22 GMT

Then, if you cannot find any obvious issue, please take it with TAC.

According to your description, it sounds like a connectivity issue causing a delay with certificate validation, but it might be also something else. Aks support to look into this.

Re: HTTPS Inspection - Performace issues at first page request / VSX

Chris_Atkinson — Tue, 29 Nov 2022 09:44:17 GMT

Regarding the HTTPS Inspection policy structure the following may be helpful for you:

https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Setup/m-p/127750/highlight/true#M27820