topic Re: HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy in Firewall and Security Management

HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy

Nenad_D — Thu, 09 Mar 2023 11:52:58 GMT

Hello community,

I would like to know whether there is a way to configure HTTPS Inspection Bypass for a certain domain (e.g. google.com) when using Security Gateway (in our case a virtual system / VSX environment) as HTTPS Proxy (non-transparent)!?

When configuring a bypass rule in HTTPS Inspection Policy with Security Gateway / Virtual System as Destination then it works, but then all relevant traffic will bypass HTTPS Inspection (for traffic from client to Security Gateway / HTTPS Proxy) and that's not desired configuration.

R81.10 JHF Take 79 is installed on the Security Gateways and Management Server.

Thanks in advance for your help!

Best Regards

Nenad

Re: HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy

the_rock — Thu, 09 Mar 2023 13:53:18 GMT

I remember testing this back in R77 versions, but not in R80+, so trying to remember how I made it work. I know I had to make some modifications on the gateway settings in smart console...can you send a screenshot of how https proxy tab is configured on gateway object?

Cheers,

Andy

Re: HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy

Nenad_D — Thu, 09 Mar 2023 14:23:47 GMT

Hi Andy,

here a screenshot of the HTTP Proxy tab on the Security Gateway / Virtual System object:

Thanks in advance for your help!

Best Regards

Nenad

Re: HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy

the_rock — Thu, 09 Mar 2023 15:03:12 GMT

No problem, thank you. I will have to check and see if I had to modify the actual ports at the bottom, so give me some time. Apologies, this was probably more than 7 years ago, so will need to see if I still have details on how I did this.

Re: HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy

the_rock — Thu, 09 Mar 2023 18:32:43 GMT

Ok, just made it work by modifying below:

Re: HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy

Nenad_D — Fri, 10 Mar 2023 08:38:10 GMT

Hi Andy,

thanks very much for sharing the information.

But I think I didn't get it how that will help to configure certain HTTPS Inspection Bypass rules when using the proxy.
Anything else I need to configure?
Could you please explain?

Thanks in advance!

Best Regards

Nenad

Re: HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy

the_rock — Fri, 10 Mar 2023 12:18:16 GMT

From notes I have, that was the only change I had to make on CP side. Can you send a screenshot of bypass rule(s)?

Re: HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy

Nenad_D — Fri, 10 Mar 2023 15:21:29 GMT

Hi Andy,

a common bypass rule looks like the following:

I will check whether it works with proxy settings you mentioned.

Thanks!

Best Regards
Nenad

Re: HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy

the_rock — Fri, 10 Mar 2023 15:24:57 GMT

Sounds good, yea, bypass rule looks right to me. If it still does not work, I will dig further and see if there was anything else I had to change.

ANdy

Re: HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy

PhoneBoy — Sat, 11 Mar 2023 00:15:34 GMT

HTTPS Inspection always sees the gateway as the destination when non-transparent proxy mode is used.
As such, the HTTPS Inspection policy will never match another destination.
This is expected behavior.
https://support.checkpoint.com/results/sk/sk108706

Re: HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy

the_rock — Sat, 11 Mar 2023 02:55:34 GMT

Interesting...I tested this today in my R81.20 lab and when gateway is configured as non-transparent proxy, the https bypass rules worked just fine.