https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215012#M41077 <P>Unfortunately, the only way to disable HTTPS Inspection at this time is through the policy.<BR />Note that in R82, we will have some additional fail-open options for HTTPS Inspection, including based on CPU load.</P> Wed, 22 May 2024 14:32:17 GMT PhoneBoy 2024-05-22T14:32:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215004#M41075 <P>Hi mates,</P><P>We have enabled the HTTPS inspection for incoming traffic to a server in DMZ.<BR />From time to time, there are DDoS attacks against this site, which leads to memory exhaust of the CP GW (7000 with 32G RAM).<BR />Disabling HTTPS inspection from policy solves the issue, but this is very problematic as GW is hard to response during that time.</P><P>So, I am looking for a way to disable HTTPS from CLI, if possible, to speed up the recovery during these DDoS attacks.</P><P>Thanks</P> Wed, 22 May 2024 13:23:19 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215004#M41075 Dilian_Chernev 2024-05-22T13:23:19Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215007#M41076 <P>Afaik and the Admin guides show, no. Did you already use <A href="https://support.checkpoint.com/results/sk/sk112241" target="_blank" rel="noopener"><SPAN>sk112241: Best Practices - <STRONG>DDoS</STRONG> <STRONG>attacks</STRONG> on Check Point Security Gateway</SPAN></A> ? You can also open an informative SR# with CP TAC to be sure about the possibilities you have.</P> Wed, 22 May 2024 14:11:52 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215007#M41076 G_W_Albrecht 2024-05-22T14:11:52Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215012#M41077 <P>Unfortunately, the only way to disable HTTPS Inspection at this time is through the policy.<BR />Note that in R82, we will have some additional fail-open options for HTTPS Inspection, including based on CPU load.</P> Wed, 22 May 2024 14:32:17 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215012#M41077 PhoneBoy 2024-05-22T14:32:17Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215069#M41084 <P>Thanks for the reply <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>We have made optimizations recommended in the sk112241, and without HTTPS inspection, the GW handles the traffic pretty well.&nbsp;</P> Thu, 23 May 2024 06:34:33 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215069#M41084 Dilian_Chernev 2024-05-23T06:34:33Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215070#M41085 <P>Thanks for the reply <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>Hope R82 will be released soon to see it in action&nbsp;</P> Thu, 23 May 2024 06:35:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215070#M41085 Dilian_Chernev 2024-05-23T06:35:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215073#M41086 <P>Gents are correct, no way to do it via cli. Interesting suggestion though!</P> Thu, 23 May 2024 07:12:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215073#M41086 the_rock 2024-05-23T07:12:25Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215130#M41090 <P>I was curious to see what our Infinity AI Copilot thought about that ... here's the answer.</P> <P><span class="lia-inline-image-display-wrapper lia-image-align-inline" image-alt="SSLi_CLI.JPG" style="width: 550px;"><img src="https://community.checkpoint.com/t5/image/serverpage/image-id/25862i8AB16DF5301A15E2/image-size/large?v=v2&amp;px=999" role="button" title="SSLi_CLI.JPG" alt="SSLi_CLI.JPG" /></span></P> Thu, 23 May 2024 18:53:38 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215130#M41090 SimonDrapeau 2024-05-23T18:53:38Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215131#M41091 <P>Guess should use it more often lol</P> Thu, 23 May 2024 18:57:24 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215131#M41091 the_rock 2024-05-23T18:57:24Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215134#M41092 <P>That won't work. Seems to be making things up. It is interesting how it inferred that from the instructions on enabling tls v1.3, might have gotten lucky in another scenario.</P> Thu, 23 May 2024 20:38:13 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215134#M41092 Lloyd_Braun 2024-05-23T20:38:13Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215138#M41093 <P>This is technically correct insofar is that:</P> <P>1. This disables the infrastructure used for HTTPS Inspection in R81 and above<BR />2. Only the CLI is used (yes, it requires a reboot)</P> <P>However, I suspect this is not what the original poster had in mind and would probably mark this as "not helpful." <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P> Thu, 23 May 2024 20:53:27 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215138#M41093 PhoneBoy 2024-05-23T20:53:27Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215139#M41094 <P>really? will the set command modify that kernel parameter and persist through a reboot? like fw ctl set int -f ?</P> Thu, 23 May 2024 21:01:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215139#M41094 Lloyd_Braun 2024-05-23T21:01:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215143#M41095 <P>Upon further reflection, I suspect what will actually happen is that the old infrastructure (that wasn't TLSIO) will be used instead.<BR />This will limit you to TLS 1.2 as TLSIO is required for TLS 1.3 inspection.<BR />Bottom line: this is probably not the answer you're looking for.</P> Thu, 23 May 2024 21:27:22 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215143#M41095 PhoneBoy 2024-05-23T21:27:22Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215153#M41096 <P>I believe fwkern.conf would also need to be updated?</P> <P>Andy</P> Fri, 24 May 2024 03:11:11 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215153#M41096 the_rock 2024-05-24T03:11:11Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215190#M41101 <P>Usually when you're changing kernel variables, yes, fwkern.conf is touched.</P> Fri, 24 May 2024 14:43:23 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215190#M41101 PhoneBoy 2024-05-24T14:43:23Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215210#M41106 <P>On a lark, I asked the question to AI Copilot myself earlier.<BR />I got a different answer that&nbsp;referred me to a kernel variable that doesn't exist.<BR />I reported this as an invalid result.</P> <P>At least fwtls_enable_tlsio is a valid kernel variable.</P> Fri, 24 May 2024 19:29:08 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/Is-it-possible-to-disable-HTTPS-inspection-from-CLI/m-p/215210#M41106 PhoneBoy 2024-05-24T19:29:08Z