topic HTTPS Inspections for traffic in the VPN tunnel in Firewall and Security Management

HTTPS Inspections for traffic in the VPN tunnel

startlook — Wed, 19 Nov 2025 14:45:25 GMT

Good afternoon!

We use a distributed network of CheckPoint 1535 devices connected in a mesh VPN. All devices are managed via CPSM.
When enabling the HTTPS Inspections policy on devices in the regions, traffic destined for the central office network is not included in the HTTPS Inspections policy. In the logs, these requests display the error: HTTPS Validation: The probe was unable to establish a TCP connection to the destination. Description: Bypassing request as configured in the engine settings of HTTPS Inspection.
Requests from the central office network that should not be routed to the VPN correctly traverse the HTTPS Inspections policy chain.
The internet access chain for the client looks like this (The Bypass option is enabled in the HTTPS Inspection rules for such traffic):
Client -> CP1535Branch -> meshVPN -> CP3600HQ -> HQ-Service (HTTPS)
In this chain, I get the error:

HTTPS Validation: The probe was unable to establish a TCP connection to the destination

Description: Bypassing request as configured in engine settings of HTTPS Inspection

Client -> CP1535Branch-> Internet
HTTPS works correctly in this chain.

How can I diagnose this problem? Could this be because the regional office's CheckPoint is attempting to access the central office nodes without encapsulating the traffic in the VPN?

Re: HTTPS Inspections for traffic in the VPN tunnel

the_rock — Wed, 19 Nov 2025 16:06:32 GMT

Are any of those sites not inspected included in bypass policy?

Re: HTTPS Inspections for traffic in the VPN tunnel

startlook — Thu, 20 Nov 2025 06:34:23 GMT

Hello, Andy.
Yes, the bypass policy fully specifies the branch network (source) and the head office network (destination). The problem is that traffic from a host in a remote office does not fall into this rule, but is marked as "Error" with the error "The probe was unable to establish a TCP connection to the destination."

I suspect that the node on the network at the headquarters is unreachable by the CheckPoint device itself on the branch. When the HTTPS Inspections policy is enabled, the device itself sends a request to the node on behalf of the client. This node is unreachable via VPN from the device itself (it's only reachable by clients behind it). Could this be the cause of the problem? Do I need to somehow change the VPN Domain settings so that nodes on the headquarters network can be reached from the branch device itself CheckPoint?

Re: HTTPS Inspections for traffic in the VPN tunnel

the_rock — Thu, 20 Nov 2025 12:04:14 GMT

In my mind, as long as that node is subjected to its traffic being inspected by the CP firewall and right inspection certs are trueted on it, there is no reason why this would not work.

Re: HTTPS Inspections for traffic in the VPN tunnel

PhoneBoy — Thu, 20 Nov 2025 16:10:16 GMT

Part of performing HTTPS Inspection requires the gateway to reach out to the destination server to verify SNI.
If the gateway can't do this, you'll get this error.

If the gateway is attempting to reach out to the server without going through the VPN, you should clearly see this in a tcpdump on the external interface.
If the destination is in the encryption domain, it should go over the VPN.
If it isn't it might be a bug and TAC should be engaged.