https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSL-Inspection-High-Utilization/m-p/187197#M34489 <P>There will definitely be a significant amount of overhead incurred due to the overhead of HTTPS encrypt/decrypt operations, this is not really avoidable or offloadable into silicon/hardware at this time.</P> <P>Traffic must be accepted by the Firewall/Network policy layer before the HTTPS Inspection Policy is examined, and it is matched against the pre-NAT packet IP addresses, just like the Firewall/Network policy layer.</P> <P>Overhead will also increase due to there now being more decrypted traffic for the various blades to inspect, whereas before HTTPS Inspection the traffic was encrypted between client and server and could not be inspected at all.&nbsp; This can be mitigated somewhat by configuring the Blades column of the HTTPS Inspection policy to limit what blades inspect which decrypted traffic, but this is rarely employed.</P> <P>However a truly amazing amount of overhead can be saved by properly ordering your HTTPS Inspection Policy rules to avoid the invocation of Medium Path Active Streaming for Bypass actions wherever possible.&nbsp; It is a bit complicated to explain, so here are the current pages related to this topic from my <A href="http://www.maxpowerfirewalls.com/gw-optimization-course.html" target="_blank" rel="noopener">R81.20 Gateway Performance Optimization Course</A>:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="https1.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21830i421CC669E307D58B/image-size/large?v=v2&amp;px=999" role="button" title="https1.png" alt="https1.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="https2.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21831i1C0A78CD3692C64F/image-size/large?v=v2&amp;px=999" role="button" title="https2.png" alt="https2.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="https3.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21832i1884982606C2608A/image-size/large?v=v2&amp;px=999" role="button" title="https3.png" alt="https3.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="https4.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21833i9C7ED9BC693A9A80/image-size/large?v=v2&amp;px=999" role="button" title="https4.png" alt="https4.png" /></span></P> Fri, 21 Jul 2023 15:05:53 GMT Timothy_Hall 2023-07-21T15:05:53Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSL-Inspection-High-Utilization/m-p/187108#M34457 <P>Hi Checkmates,</P><P>I enable &nbsp;SSLinspection for outbound, then facing high utilization from 30% to 65%. is it normal?</P><P>From this im trying to tuning the current configuration because too many policy and some of the policy is duplicate.</P><P>In the CP, what is going to check first? Access Control Policy or HTTP Inspection?</P><UL><LI>Access Control &gt; HTTP Inspection &gt; Threat Prevention. is it correct?</LI></UL><P>&nbsp;</P><P>and last, does anyone know how to anticipate HSTS error after enable HTTP Inpsection? because some of web got this error message and cant open. Thanks!!</P> Thu, 20 Jul 2023 16:28:44 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSL-Inspection-High-Utilization/m-p/187108#M34457 Fabz 2023-07-20T16:28:44Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSL-Inspection-High-Utilization/m-p/187109#M34458 <P>Your best bet is to use below sk to troubleshoot, as well as wstlsd debug:</P> <P><A href="https://support.checkpoint.com/results/sk/sk112066" target="_blank">https://support.checkpoint.com/results/sk/sk112066</A></P> <P>Whats your utilization when https inspection is off?</P> <P>Andy</P> Thu, 20 Jul 2023 16:49:58 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSL-Inspection-High-Utilization/m-p/187109#M34458 the_rock 2023-07-20T16:49:58Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSL-Inspection-High-Utilization/m-p/187130#M34463 <P>Yes there is an overhead involved depending on your traffic mix &amp; configuration.</P> <P>To start review your HTTPS inspection policy - refer:</P> <P><A href="https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Setup/td-p/83504#M27820" target="_blank">https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Setup/td-p/83504#M27820</A></P> <P><A href="https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Policy-Rule-Order/td-p/128681#M27952" target="_blank">https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Policy-Rule-Order/td-p/128681#M27952</A></P> <P>From there investigating further with HCP might yield additional clues.</P> Thu, 20 Jul 2023 23:27:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSL-Inspection-High-Utilization/m-p/187130#M34463 Chris_Atkinson 2023-07-20T23:27:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSL-Inspection-High-Utilization/m-p/187197#M34489 <P>There will definitely be a significant amount of overhead incurred due to the overhead of HTTPS encrypt/decrypt operations, this is not really avoidable or offloadable into silicon/hardware at this time.</P> <P>Traffic must be accepted by the Firewall/Network policy layer before the HTTPS Inspection Policy is examined, and it is matched against the pre-NAT packet IP addresses, just like the Firewall/Network policy layer.</P> <P>Overhead will also increase due to there now being more decrypted traffic for the various blades to inspect, whereas before HTTPS Inspection the traffic was encrypted between client and server and could not be inspected at all.&nbsp; This can be mitigated somewhat by configuring the Blades column of the HTTPS Inspection policy to limit what blades inspect which decrypted traffic, but this is rarely employed.</P> <P>However a truly amazing amount of overhead can be saved by properly ordering your HTTPS Inspection Policy rules to avoid the invocation of Medium Path Active Streaming for Bypass actions wherever possible.&nbsp; It is a bit complicated to explain, so here are the current pages related to this topic from my <A href="http://www.maxpowerfirewalls.com/gw-optimization-course.html" target="_blank" rel="noopener">R81.20 Gateway Performance Optimization Course</A>:</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="https1.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21830i421CC669E307D58B/image-size/large?v=v2&amp;px=999" role="button" title="https1.png" alt="https1.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="https2.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21831i1C0A78CD3692C64F/image-size/large?v=v2&amp;px=999" role="button" title="https2.png" alt="https2.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="https3.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21832i1884982606C2608A/image-size/large?v=v2&amp;px=999" role="button" title="https3.png" alt="https3.png" /></span><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="https4.png" style="width: 999px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/21833i9C7ED9BC693A9A80/image-size/large?v=v2&amp;px=999" role="button" title="https4.png" alt="https4.png" /></span></P> Fri, 21 Jul 2023 15:05:53 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/SSL-Inspection-High-Utilization/m-p/187197#M34489 Timothy_Hall 2023-07-21T15:05:53Z