https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4389#M10471 <HTML><HEAD></HEAD><BODY><P>Apologies, but I have to paste the entire SK here to get to the bottom of it.</P><P>Please scroll down to the highlighted sections and please help me understand the implications of these perls of wisdom:</P><P>----</P><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 12.0pt;">R80.10 Configuration</STRONG></P><UL style="padding: 0px 0px 0px 30px;"><LI style="margin-left: 1.0in; text-indent: -.25in;"><SPAN style="font-size: 10.5pt; color: black;">In order to make the Proxy Server to work on R80.10, an explicit rule should be created allowing traffic to the gateway itself on the proxy defined port.</SPAN></LI><LI style="margin-left: 1.0in; text-indent: -.25in;"><SPAN style="font-size: 10.5pt; color: black;">When using URL Filtering, an explicit rule should be created to match the URL categorization.</SPAN></LI></UL><P><SPAN style="font-size: 10.5pt; color: black;">-----</SPAN></P><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 12.0pt;">(3) Limitations</STRONG></P><P style="color: #3d3d3d;"><SPAN style="font-size: 10.5pt; color: black;">HTTP/HTTPS proxy support is&nbsp;<STRONG><EM>limited</EM></STRONG>&nbsp;for the following features/configurations:</SPAN></P><TABLE style="color: #3d3d3d; border: 1px solid transparent; margin: -1px -1px 2px;"><TBODY style="border: inherit solid inherit;"><TR style="border: inherit solid inherit;"><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">HTTPS traffic</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black; background: yellow;">Not supported in Transparent Proxy configuration when the<SPAN>&nbsp;</SPAN></SPAN><SPAN style="font-size: 10.5pt; color: red; background: yellow;">HTTPS traffic ports are configured in the 'ports' section of the proxy configuration.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><EM style="color: black; font-size: 10.5pt;">No active plans</EM></P></TD></TR></TBODY></TABLE><P></P><P>----</P><P><SPAN style="color: #000000;">The following features/configuration are&nbsp;</SPAN><STRONG style="color: #000000;">supported</STRONG><SPAN style="color: #000000;">, but might require some adjustments:</SPAN></P><P></P><TABLE style="border: 1px solid transparent; margin: -1px -1px 2px;"><TBODY style="border: inherit solid inherit;"><TR style="border: inherit solid inherit;"><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">HTTPS traffic</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black; background: yellow;">Supported in Non-Transparent Proxy configuration.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">-</SPAN></P></TD></TR></TBODY></TABLE><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 16.5pt;">&nbsp;</STRONG></P><P style="margin-bottom: .0001pt;">-----</P><P style="margin-bottom: .0001pt;">For what its worth, this seem to do the trick:</P><P style="margin-bottom: .0001pt;"><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/62927_pastedImage_2.png" style="width: 864px; height: 92px;" /></P><P style="margin-bottom: .0001pt;"></P><P style="margin-bottom: .0001pt;">With Proxy configured thus:</P><P style="margin-bottom: .0001pt;"><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/62928_pastedImage_3.png" style="width: 620px; height: 569px;" /></P><P style="margin-bottom: .0001pt;"></P><P style="margin-bottom: .0001pt;">And the proxy checker actually returns:</P><P style="margin-bottom: .0001pt;"><IMG class="image-3 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/62929_pastedImage_4.png" style="width: 620px; height: 482px;" /></P><P style="margin-bottom: .0001pt;"></P><P style="margin-bottom: .0001pt;">But since I have HTTPS inspection enabled, I have no means to discern if that traffic is being proxied or inspected inline which, in case of HTTPS may not be different anyhow, as the session is broken-down in two and the certificates will be substituted in both cases:</P><P style="margin-bottom: .0001pt;">&nbsp;</P><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 16.5pt;"><IMG class="jive-image image-4" src="https://community.checkpoint.com/legacyfs/online/checkpoint/62930_pastedImage_5.png" style="width: 620px; height: 268px;" /></STRONG></P><P style="margin-bottom: .0001pt;"></P><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 16.5pt;">&nbsp;</STRONG></P><P style="margin-bottom: .0001pt;"></P><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 16.5pt;">How to configure Check Point Security Gateway as HTTP/HTTPS Proxy</STRONG></P><P style="margin-bottom: .0001pt; border: none; padding: 0in;"><SPAN style="font-size: 8.0pt;">Top of Form</SPAN></P><TABLE><TBODY><TR><TD style="padding: .75pt .75pt .75pt .75pt;" width="20"></TD><TD style="padding: .75pt .75pt .75pt .75pt;" width="20"></TD><TD style="padding: .75pt .75pt .75pt .75pt;" width="20"></TD><TD style="padding: .75pt .75pt .75pt .75pt;" width="20"></TD><TD style="padding: .75pt .75pt .75pt .75pt;" width="20"></TD><TD style="padding: .75pt .75pt .75pt 3.75pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 12.0pt;">Rate This</SPAN></P></TD></TR></TBODY></TABLE><P style="margin-bottom: .0001pt; border: none; padding: 0in;"><SPAN style="font-size: 8.0pt;">Bottom of Form</SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.5pt; color: black;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doShowfavoritespage"><SPAN style="font-size: 10.5pt; color: #ba2454;">My Favorites</SPAN></A></SPAN></P><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 9.5pt; color: black;"><A href="mailto:?subject=Check%20Point%20SecureKnowledge%20Solution&amp;body=Solution%20Title:%20How%20to%20configure%20Check%20Point%20Security%20Gateway%20as%20HTTP/HTTPS%20Proxy%0D%0ASolution%20ID:%20sk110013%0D%0ASolution%20Link:%20https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails%3D%26solutionid%3Dsk110013%20%20%20%20%0D%0A-------------------------------------------------------------%20%0D%0AFor%20Disclaimer%20of%20Warranty%20and%20Copyright%20info:%20http://www.checkpoint.com/copyright.html"><SPAN style="font-size: 10.5pt; color: #ba2454; text-decoration: none;">Email</SPAN></A><A href="https://supportcenter.checkpoint.com/supportcenter/portal/media-type/html/role/supportcenterUser/page/print.psml?action=portlets.SearchResultMainAction&amp;eventSubmit_doPrintsolution=&amp;solutionid=sk110013"><SPAN style="font-size: 10.5pt; color: #ba2454; text-decoration: none;">Print</SPAN></A></SPAN></P><TABLE><TBODY><TR><TD style="border: solid #E3E3E3 1.0pt; padding: .75pt 3.75pt .75pt 9.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Solution ID</SPAN></P></TD><TD style="border: solid #E3E3E3 1.0pt; border-left: none; padding: .75pt 22.5pt .75pt 13.5pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt;">sk110013</SPAN></P></TD></TR><TR><TD style="border: solid #E3E3E3 1.0pt; border-top: none; padding: .75pt 3.75pt .75pt 9.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Product</SPAN></P></TD><TD style="border-top: none; border-left: none; border-bottom: solid #E3E3E3 1.0pt; border-right: solid #E3E3E3 1.0pt; padding: .75pt 22.5pt .75pt 13.5pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt;">Security Gateway</SPAN></P></TD></TR><TR><TD style="border: solid #E3E3E3 1.0pt; border-top: none; padding: .75pt 3.75pt .75pt 9.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Version</SPAN></P></TD><TD style="border-top: none; border-left: none; border-bottom: solid #E3E3E3 1.0pt; border-right: solid #E3E3E3 1.0pt; padding: .75pt 22.5pt .75pt 13.5pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt;">R75.40, R75.40VS, R75.45, R75.46, R75.47, R76, R76SP, R76SP.10, R76SP.10_VSLS, R76SP.20, R76SP.30, R76SP.40, R77, R77.10, R77.20, R77.30, R80.10</SPAN></P></TD></TR><TR><TD style="border: solid #E3E3E3 1.0pt; border-top: none; padding: .75pt 3.75pt .75pt 9.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">OS</SPAN></P></TD><TD style="border-top: none; border-left: none; border-bottom: solid #E3E3E3 1.0pt; border-right: solid #E3E3E3 1.0pt; padding: .75pt 22.5pt .75pt 13.5pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt;">Gaia, SecurePlatform 2.6</SPAN></P></TD></TR><TR><TD style="border: solid #E3E3E3 1.0pt; border-top: none; padding: .75pt 3.75pt .75pt 9.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Platform / Model</SPAN></P></TD><TD style="border-top: none; border-left: none; border-bottom: solid #E3E3E3 1.0pt; border-right: solid #E3E3E3 1.0pt; padding: .75pt 22.5pt .75pt 13.5pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt;">All</SPAN></P></TD></TR><TR><TD style="border: solid #E3E3E3 1.0pt; border-top: none; padding: .75pt 3.75pt .75pt 9.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Date Created</SPAN></P></TD><TD style="border-top: none; border-left: none; border-bottom: solid #E3E3E3 1.0pt; border-right: solid #E3E3E3 1.0pt; padding: .75pt 22.5pt .75pt 13.5pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt;">14-Feb-2016</SPAN></P></TD></TR><TR><TD style="border: solid #E3E3E3 1.0pt; border-top: none; padding: .75pt 3.75pt .75pt 9.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Last Modified</SPAN></P></TD><TD style="border-top: none; border-left: none; border-bottom: solid #E3E3E3 1.0pt; border-right: solid #E3E3E3 1.0pt; padding: .75pt 22.5pt .75pt 13.5pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt;">22-Jan-2018</SPAN></P></TD></TR></TBODY></TABLE><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 16.5pt;">Solution</STRONG></P><P><STRONG style="color: black; font-size: 10.5pt;">Table of Contents:</STRONG></P><OL><LI style="color: #ba2454;"><SPAN style="font-size: 10.5pt;">Configuration in SmartDashboard</SPAN></LI><LI style="color: #ba2454;"><SPAN style="font-size: 10.5pt;">Important notes</SPAN></LI><LI style="color: #ba2454;"><SPAN style="font-size: 10.5pt;">Limitations</SPAN></LI><LI style="color: #ba2454;"><SPAN style="font-size: 10.5pt;">Proxy errors</SPAN></LI><LI style="color: #ba2454;"><SPAN style="font-size: 10.5pt;">Related documentation</SPAN></LI><LI style="color: #ba2454;"><SPAN style="font-size: 10.5pt;">Related solutions</SPAN></LI></OL><P><SPAN style="font-size: 10.5pt; color: black;">&nbsp;</SPAN></P><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 12.0pt;">(1) Configuration in SmartDashboard</STRONG></P><OL><LI style="color: black;"><SPAN style="font-size: 10.5pt;">Open the Security Gateway object you would like to configure as a Proxy.</SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;">Go to HTTP/HTTPS Proxy pane:</SPAN><OL><LI style="color: black;"><SPAN style="font-size: 10.5pt;">Check the box&nbsp;<STRONG><EM>Use this gateway as an HTTP/HTTPS Proxy</EM></STRONG>.</SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;">Configure the Proxy settings:</SPAN><UL><LI style="color: black;"><SPAN style="font-size: 10.5pt;">Proxy Modes</SPAN></LI></UL></LI></OL></LI></OL><P style="margin-left: 1.5in;"><SPAN style="font-size: 10.5pt; color: black;">Two proxy modes are supported:</SPAN></P><OL><OL><UL><UL><LI style="color: black;"><EM style="font-size: 10.5pt;">Transparent</EM><SPAN style="font-size: 10.5pt;">&nbsp;- All HTTP traffic on specified ports and interfaces is intercepted and processed by the Proxy code in the Security Gateway. No configuration is required on the clients.</SPAN></LI><LI style="color: black;"><EM style="font-size: 10.5pt;">Non Transparent</EM><SPAN style="font-size: 10.5pt;">&nbsp;- All HTTP/HTTPS traffic on specified ports and interfaces is intercepted and processed by the Proxy code in the Security Gateway. Configuration of the proxy address and port is required on client machines.</SPAN></LI></UL><LI style="color: black;"><SPAN style="font-size: 10.5pt;">Access Control</SPAN></LI></UL></OL></OL><P style="margin-left: 1.5in;"><SPAN style="font-size: 10.5pt; color: black;">You can configure one of these options for forwarding HTTP requests:</SPAN></P><OL><OL><UL><UL><LI style="color: black;"><EM style="font-size: 10.5pt;">All Internal Interfaces</EM><SPAN style="font-size: 10.5pt;">&nbsp;- HTTP/HTTPS traffic from all internal interfaces is processed by the Proxy code in the Security Gateway.</SPAN></LI><LI style="color: black;"><EM style="font-size: 10.5pt;">Specific Interfaces</EM><SPAN style="font-size: 10.5pt;">&nbsp;- HTTP/HTTPS traffic from interfaces specified in the list is processed by the Proxy code in the Security Gateway.</SPAN></LI></UL><LI style="color: black;"><SPAN style="font-size: 10.5pt;">Ports</SPAN></LI></UL></OL></OL><P style="margin-left: 1.5in;"><SPAN style="font-size: 10.5pt; color: black;">By default, traffic is intercepted only on port 8080. You can add or edit ports as required.</SPAN></P><OL><OL><UL><LI style="color: black;"><SPAN style="font-size: 10.5pt;">Advanced</SPAN></LI></UL></OL></OL><P style="margin-left: 1.5in;"><SPAN style="font-size: 10.5pt; color: black;">You can configure proxy headers by clicking on&nbsp;<STRONG><EM>Advanced...</EM></STRONG>&nbsp;button.</SPAN></P><OL><OL><UL><UL><LI style="color: black;"><EM style="font-size: 10.5pt;">Proxy related headers</EM><SPAN style="font-size: 10.5pt;">&nbsp;- By default, the HTTP header contains the "<EM>Via</EM>" proxy related header. Clear this checkbox if you do not want to include it.</SPAN></LI><LI style="color: black;"><EM style="font-size: 10.5pt;">X-Forward-For header (original client source IP address)</EM><SPAN style="font-size: 10.5pt;">&nbsp;- check this box to include the actual source IP address in the HTTP.<BR /> This header must be configured, if traffic will be forwarded to Identity Awareness Security Gateways that require this information for user identification.</SPAN></LI></UL><LI style="color: black;"><SPAN style="font-size: 10.5pt;">Logging</SPAN></LI></UL></OL></OL><P style="margin-left: 1.5in;"><SPAN style="font-size: 10.5pt; color: black;">The Security Gateway opens two connections (one connection with the client and one connection with the actual destination server), but only the Firewall blade can log both connections.<BR /> Other blades show only the connection between the client and the Security Gateway.<BR /> The "Destination" field of the log only shows the Security Gateway and not the actual destination server.<BR /> The "Resource" field shows the actual destination.</SPAN></P><OL><LI style="color: black;"><EM style="font-size: 10.5pt;">Example</EM><SPAN style="font-size: 10.5pt;">:</SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;">Install policy on the Security Gateway.</SPAN></LI></OL><P><SPAN style="font-size: 10.5pt; color: black;">&nbsp;</SPAN></P><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 12.0pt;">R80.10 Configuration</STRONG></P><UL><LI style="margin-left: 1.0in; text-indent: -.25in;"><SPAN style="font-size: 10.0pt; color: black;"> </SPAN><SPAN style="font-size: 10.5pt; color: black;">In order to make the Proxy Server to work on R80.10, an explicit rule should be created allowing traffic to the gateway itself on the proxy defined port.</SPAN></LI><LI style="margin-left: 1.0in; text-indent: -.25in;"><SPAN style="font-size: 10.0pt; color: black;"> </SPAN><SPAN style="font-size: 10.5pt; color: black;">When using URL Filtering, an explicit rule should be created to match the URL categorization.</SPAN></LI></UL><P><SPAN style="font-size: 10.5pt; color: black;">&nbsp;</SPAN></P><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 12.0pt;">(2) Important notes</STRONG></P><UL><LI style="color: black;"><SPAN style="font-size: 10.5pt;">In order to maintain highest security, it is recommended to avoid selecting external interfaces as the relevant proxy interfaces.</SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;">Check Point HTTP/HTTPS proxy is&nbsp;<STRONG><EM>not</EM></STRONG>&nbsp;a caching proxy (it does not cache commonly visited web pages to provide faster local access to hosts on the LAN).</SPAN></LI></UL><P><SPAN style="font-size: 10.5pt; color: black;">&nbsp;</SPAN></P><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 12.0pt;">(3) Limitations</STRONG></P><P><SPAN style="font-size: 10.5pt; color: black;">HTTP/HTTPS proxy support is&nbsp;<STRONG><EM>limited</EM></STRONG>&nbsp;for the following features/configurations:</SPAN></P><TABLE><TBODY><TR><TD style="background: #EBEBEB; padding: 3.0pt 3.0pt 3.0pt 3.0pt;" width="180"><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 10.5pt;">Feature /<BR /> Configuration</STRONG></P></TD><TD style="background: #EBEBEB; padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 10.5pt;">Comments</STRONG></P></TD><TD style="background: #EBEBEB; padding: 3.0pt 3.0pt 3.0pt 3.0pt;" width="120"><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 10.5pt;">Plans</STRONG></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">IPv6</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Proxy can be used, but not for IPv6 connections.<BR /> In dual IP stack, only IPv4 traffic is supported.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">In addition, refer to&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112816"><SPAN style="color: #905690; text-decoration: none;">sk112816 - Check Point support for IPv4 / IPv6 Proxy</SPAN></A>.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Planned to be resolved in a future version.</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Span Port /<BR /> Mirror Port /<BR /> Monitor Mode</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Proxy is not supported when this feature is enabled.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">Refer to&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk98389"><SPAN style="color: #905690; text-decoration: none;">sk98389</SPAN></A>.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><EM style="color: black; font-size: 10.5pt;">No active plans</EM></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">VPN Site-to-Site</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Proxy can be used, but not over VPN connections.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">Refer to&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk93929"><SPAN style="color: #905690; text-decoration: none;">sk93929</SPAN></A>.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Planned to be resolved in a future version.</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Mobile Access blade</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Proxy can be used, but not over Mobile Access connections.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><EM style="color: black; font-size: 10.5pt;">No active plans</EM></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Anti-Spam &amp; E-mail Security blade</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Proxy is not supported when this feature is enabled.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">*The Content-based Anti-Spam is not supported with proxy (only the IP Reputation is supported)</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><EM style="color: black; font-size: 10.5pt;">No active plans</EM></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Application Accounting</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Not supported in Transparent Proxy configuration.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><EM style="color: black; font-size: 10.5pt;">No active plans</EM></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">HTTPS traffic</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black; background: yellow;">Not supported in Transparent Proxy configuration when the </SPAN><SPAN style="font-size: 10.5pt; color: red; background: yellow;">HTTPS traffic ports are configured in the 'ports' section of the proxy configuration.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><EM style="color: black; font-size: 10.5pt;">No active plans</EM></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">UserCheck</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Users do not receive a UserCheck page for blocked HTTPS connections that pass through Proxy, but instead receive a message that the page could not be reached.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">Refer to&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk93184"><SPAN style="color: #905690; text-decoration: none;">sk93184</SPAN></A>&nbsp;and&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk85640"><SPAN style="color: #905690; text-decoration: none;">sk85640</SPAN></A>.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Planned to be resolved in a future version.</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">NTLM authentication</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Not supported in Proxy configuration.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">Refer to&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk100214"><SPAN style="color: #905690; text-decoration: none;">sk100214</SPAN></A>.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><EM style="color: black; font-size: 10.5pt;">No active plans</EM></P></TD></TR></TBODY></TABLE><P><SPAN style="font-size: 10.5pt; color: black;">The following features/configuration are&nbsp;<STRONG>supported</STRONG>, but might require some adjustments:</SPAN></P><TABLE><TBODY><TR><TD style="background: #EBEBEB; padding: 3.0pt 3.0pt 3.0pt 3.0pt;" width="180"><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 10.5pt;">Feature /<BR /> Configuration</STRONG></P></TD><TD style="background: #EBEBEB; padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 10.5pt;">Comments</STRONG></P></TD><TD style="background: #EBEBEB; padding: 3.0pt 3.0pt 3.0pt 3.0pt;" width="120"><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 10.5pt;">Integrated in</STRONG></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">VPN Remote Access with client E75.30</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">The following configuration is required - add both internal and external interfaces to 'Specific Interfaces' setting in HTTP/HTTPS Proxy properties.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">-</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">UserCheck</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">UserCheck block page message is not shown when Security Gateway is configured as HTTP Proxy.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">To resolve the issue, add the portal IP address to the proxy exceptions list in your web browser, or use a proxy PAC file to exclude the portal from the connections that require a proxy.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">This allows the client to connect directly to the portal, without going through the proxy feature.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">Refer to&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk72100"><SPAN style="color: #905690; text-decoration: none;">sk72100</SPAN></A>.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">-</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Bridge mode</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">The following configuration is required - you must configure an IP address on the bridge interface.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">-</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Cluster with Cluster Virtual IP address on a different subnet than the member's physical IP addresses</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">In case you encounter connectivity issues,&nbsp;<A href="http://www.checkpoint.com/services/contact/index.html"><SPAN style="color: #905690; text-decoration: none;">contact Check Point Support</SPAN></A>&nbsp;to get a Hotfix for this issue (Issue ID 01223637).</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">R76 and above</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Application &amp; URL Filtering with a single interface</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">When Security Gateway is configured as HTTP/HTTPS Proxy with a single interface, define the relevant rules in 'Application &amp; URL Filtering' policy as follows: Source - 'Any'; Destination - 'Any'.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">Refer to&nbsp;<A href="http://supportcontent.checkpoint.com/solutions?id=sk80340"><SPAN style="color: #905690; text-decoration: none;">sk80340</SPAN></A>.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">-</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">"</SPAN><SPAN style="font-size: 10.0pt; color: black;">Page not found</SPAN><SPAN style="font-size: 10.5pt; color: black;">" error</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Error is shown when Security Gateway is configured as Non-transparent Proxy, if the same site is accessed on more than one destination port.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;"><A href="http://www.checkpoint.com/services/contact/index.html"><SPAN style="color: #905690; text-decoration: none;">Contact Check Point Support</SPAN></A>&nbsp;to get a Hotfix for this issue (Issue ID 01134342).</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">R75.47,<BR /> R77 and above</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Ports Leak in ClusterXL HA</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">If ClusterXL in High Availability mode is used as Proxy in Non Transparent mode, then NAT kernel table '</SPAN><SPAN style="font-size: 10.0pt; color: black;">fwx_alloc</SPAN><SPAN style="font-size: 10.5pt; color: black;">' on the Standby cluster member has significantly more entries than on the Active cluster member.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">"</SPAN><SPAN style="font-size: 10.0pt; color: black;">NAT hide failure - no available port for hide NAT</SPAN><SPAN style="font-size: 10.5pt; color: black;">" logs in SmartView Tracker will appear.</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">Refer to&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk69480"><SPAN style="color: #905690; text-decoration: none;">sk69480</SPAN></A>&nbsp;and&nbsp;<A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk93247"><SPAN style="color: #905690; text-decoration: none;">sk93247</SPAN></A>.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">R77 and above</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">HTTPS traffic</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black; background: yellow;">Supported in Non-Transparent Proxy configuration.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">-</SPAN></P></TD></TR></TBODY></TABLE><P><SPAN style="font-size: 10.5pt; color: black;">Additional notes:</SPAN></P><UL><LI style="color: black;"><SPAN style="font-size: 10.5pt;">By default, Check Point Security Gateway does&nbsp;<EM>not</EM>&nbsp;support Reverse Proxy Functionality.<BR /> For Capsule Docs Reverse Proxy, refer to:</SPAN><UL><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk102973"><SPAN style="color: #905690; text-decoration: none;">sk102973 - Check Point Capsule Docs - 3rd-party Reverse Proxy Server</SPAN></A></SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk103706"><SPAN style="color: #905690; text-decoration: none;">sk103706 - Capsule Docs On-Premises vs. Capsule Docs managed in the Cloud</SPAN></A></SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk105123"><SPAN style="color: #905690; text-decoration: none;">sk105123 - Check Point Capsule Docs, Endpoint Security and Remote Access VPN E80.61 / R77.20.01</SPAN></A></SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk108375"><SPAN style="color: #905690; text-decoration: none;">sk108375 - Check Point Capsule Docs, Endpoint Security and Remote Access VPN E80.62 / R77.30.01</SPAN></A></SPAN></LI></UL></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;">On 41000 / 61000 Security System - Proxy connections will be dropped during failovers (due to the fact that such connections are handled as a Local Connection, which has no backup) (Issue 02331051).</SPAN></LI></UL><P><SPAN style="font-size: 10.5pt; color: black;">&nbsp;</SPAN></P><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 12.0pt;">(4) Proxy errors</STRONG></P><P><SPAN style="font-size: 10.5pt; color: black;">Below is a summary of proxy errors as it is seen in browser and in logs.</SPAN></P><TABLE><TBODY><TR><TD style="background: #EBEBEB; padding: 3.0pt 3.0pt 3.0pt 3.0pt;" width="35%"><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 10.5pt;">Error</STRONG></P></TD><TD style="background: #EBEBEB; padding: 3.0pt 3.0pt 3.0pt 3.0pt;" width="35%"><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 10.5pt;">Browser</STRONG></P></TD><TD style="background: #EBEBEB; padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 10.5pt;">Log</STRONG></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">DNS failure, no connectivity to DNS server</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Gateway Timeout</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">The requested URL couldn't be resolved</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Reject</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">Proxy: DNS timeout/error; Connection was rejected due to DNS timeout or error</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">DNS server is available but no record for the URL request</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Gateway Timeout</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">The requested URL couldn't be resolved</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Reject</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">Proxy: Internal error; Connection was rejected due to internal error&nbsp;</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">DNS server is available, record for URL also available but no Internet connection</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">This web page is not available</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">ERR_TUNNEL_CONNECTION_FAILED</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Reject</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">Can't connect to server</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">HTTP server failure, no connectivity to HTTP server</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Gateway Timeout</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">The requested URL couldn't be resolved</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Reject</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">Can't connect to server</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">HTTPS server error "500/404" - usually it indicates on a problem with the HTML code or page not found</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Server error</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">500</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Accept</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Server Reset: Server is up and running but not listens to HTTP/S ports. Can happen after reboot or internal server errors</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Server error</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">502</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Accept</SPAN></P></TD></TR><TR><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Authentication failure: wrong credential in a password authentication</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P><SPAN style="font-size: 10.5pt; color: black;">Unauthorized</SPAN></P><P><SPAN style="font-size: 10.5pt; color: black;">The server could not verify that you are authorized to access the document requested.</SPAN></P></TD><TD style="padding: 3.0pt 3.0pt 3.0pt 3.0pt;"><P style="margin-bottom: .0001pt;"><SPAN style="font-size: 10.5pt; color: black;">Accept</SPAN></P></TD></TR></TBODY></TABLE><P><SPAN style="font-size: 10.5pt; color: black;">&nbsp;</SPAN></P><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 12.0pt;">(5) Related documentation</STRONG></P><UL><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="http://supportcontent.checkpoint.com/documentation_download?ID=24806"><SPAN style="color: #905690; text-decoration: none;">R77 versions IPS Administration Guide</SPAN></A>&nbsp;- chapter "Monitoring Traffic" - section "HTTPS Inspection" - sub-section "HTTP/HTTPS Proxy"</SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="http://supportcontent.checkpoint.com/documentation_download?ID=24834"><SPAN style="color: #905690; text-decoration: none;">R77 versions Threat Prevention Administration Guide</SPAN></A>&nbsp;- chapter "Using Threat Prevention with HTTPS Traffic" - section "HTTPS Inspection" - sub-section "HTTP/HTTPS Proxy"</SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="http://supportcontent.checkpoint.com/documentation_download?ID=24853"><SPAN style="color: #905690; text-decoration: none;">R77 versions Application Control and URL Filtering Administration Guide</SPAN></A>&nbsp;- chapter "Managing Application Control and URL Filtering" - section "HTTPS Inspection" - sub-section "HTTP/HTTPS Proxy"</SPAN></LI></UL><P><SPAN style="font-size: 10.5pt; color: black;">&nbsp;</SPAN></P><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 12.0pt;">(6) Related solutions</STRONG></P><UL><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112816"><SPAN style="color: #905690; text-decoration: none;">sk112816 - Check Point support for IPv4 / IPv6 Proxy</SPAN></A></SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk92482"><SPAN style="color: #905690; text-decoration: none;">sk92482 - Performance impact from enabling HTTP/HTTPS Proxy functionality</SPAN></A></SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk101395"><SPAN style="color: #905690; text-decoration: none;">sk101395 - How to configure Proxy Chain on a Check Point Security Gateway defined as Proxy</SPAN></A></SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk104639"><SPAN style="color: #905690; text-decoration: none;">sk104639 - Connection from a Client to a Server does not work when both Client and Server are NATed behind the same Security Gateway configured as Proxy</SPAN></A></SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110348"><SPAN style="color: #905690; text-decoration: none;">sk104639 - Mobile Access R77.30 Reverse Proxy</SPAN></A></SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk111171"><SPAN style="color: #905690; text-decoration: none;">sk111171 - Security Gateway in HTTP/HTTPS Proxy mode sends TCP RST packet in response to TCP SYN packet</SPAN></A></SPAN></LI><LI style="color: black;"><SPAN style="font-size: 10.5pt;"><A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk112939"><SPAN style="color: #999999; text-decoration: none;">sk112939 - Application Control and URL Filtering blades do not work when Security Gateway is configured as HTTP/HTTPS Proxy in Non Transparent mode</SPAN></A></SPAN></LI></UL><P style="margin-bottom: .0001pt;"><STRONG style="color: #333333; font-size: 16.5pt;">Applies To:</STRONG></P><UL><LI style="color: black;"><SPAN style="font-size: 10.5pt;">This SK replaces sk98559</SPAN></LI></UL></BODY></HTML> Thu, 08 Feb 2018 00:37:00 GMT Vladimir 2018-02-08T00:37:00Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4360#M10442 <HTML><HEAD></HEAD><BODY><P>Can Anybody PLease help me on this&nbsp;How to configure Check Point Security Gateway as HTTP/HTTPS Proxy</P><P></P><P>Thanks In advance</P></BODY></HTML> Thu, 20 Jul 2017 08:26:15 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4360#M10442 SAT_S 2017-07-20T08:26:15Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4361#M10443 <HTML><HEAD></HEAD><BODY><P>This is documented here:</P><P><A class="link-titled" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110013&amp;partition=Advanced&amp;product=Security" title="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110013&amp;partition=Advanced&amp;product=Security">How to configure Check Point Security Gateway as HTTP/HTTPS Proxy</A>&nbsp;</P></BODY></HTML> Thu, 20 Jul 2017 09:21:34 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4361#M10443 Peter_Sandkuijl 2017-07-20T09:21:34Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4362#M10444 <HTML><HEAD></HEAD><BODY><P>yes but i am not able to view it as m getting this pop up<IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/57521_pastedImage_1.png" style="width: auto; height: auto;" /></P></BODY></HTML> Thu, 20 Jul 2017 09:30:56 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4362#M10444 SAT_S 2017-07-20T09:30:56Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4363#M10445 <HTML><HEAD></HEAD><BODY><P>As a picture typically says more than a thousand words:</P><P><IMG src="https://sc1.checkpoint.com/sc/SolutionsStatics/sk110013/proxy1.png" /></P></BODY></HTML> Thu, 20 Jul 2017 11:17:14 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4363#M10445 Peter_Sandkuijl 2017-07-20T11:17:14Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4364#M10446 <HTML><HEAD></HEAD><BODY><P>hello Peter,</P><P></P><P>from sk "...Transparent - All HTTP traffic on specified ports and interfaces is intercepted and sent to a proxy..."</P><DIV>what does it (sent to a proxy) mean?<BR />proxy as a deamon or external box?</DIV><DIV> </DIV><DIV> </DIV><DIV>thank You!<BR />--<BR />ak.</DIV><P>"</P></BODY></HTML> Thu, 20 Jul 2017 11:23:07 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4364#M10446 Andrejs__Андрей 2017-07-20T11:23:07Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4365#M10447 <HTML><HEAD></HEAD><BODY><P>Thanks Peter , do i also need to configure any outbound or inbound policy against this..</P></BODY></HTML> Thu, 20 Jul 2017 11:26:26 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4365#M10447 SAT_S 2017-07-20T11:26:26Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4366#M10448 <HTML><HEAD></HEAD><BODY><P>This means a process runs on the Check Point gateway that acts as a proxy. No 3rd party proxy would be required.</P></BODY></HTML> Thu, 20 Jul 2017 11:32:43 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4366#M10448 Peter_Sandkuijl 2017-07-20T11:32:43Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4367#M10449 <HTML><HEAD></HEAD><BODY><P>Thanks peter this was a great help....</P></BODY></HTML> Thu, 20 Jul 2017 11:53:47 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4367#M10449 SAT_S 2017-07-20T11:53:47Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4368#M10450 <HTML><HEAD></HEAD><BODY><P>By checking the box, implied rules are put in place. You need to create rules as you usually would (internal lan &gt; internet &gt; http+https &gt; accept). Take into account that the gateway creates the outbound (proxied) connection from the gateway and requires a DNS to resolve against.</P></BODY></HTML> Thu, 20 Jul 2017 12:03:39 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4368#M10450 Peter_Sandkuijl 2017-07-20T12:03:39Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4369#M10451 <HTML><HEAD></HEAD><BODY><P>and excellent work Sergei Shir and the SecureKnowledge Team!</P><P>they updated that <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110013">sk110013</A>!</P><P>"...and processed by the Proxy code in the Security Gateway..."</P><P></P><P></P><P>Thank You,</P><P>--</P><P>ak.</P></BODY></HTML> Thu, 20 Jul 2017 12:16:40 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4369#M10451 Andrejs__Андрей 2017-07-20T12:16:40Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4370#M10452 <HTML><HEAD></HEAD><BODY><P>Hi peter</P><P></P><P>Bothering u again.. When creating a rule shud i &nbsp;select service as http 80, https 443 or http+https proxy 8080</P><P></P><P>SAT</P></BODY></HTML> Sat, 22 Jul 2017 14:01:22 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4370#M10452 SAT_S 2017-07-22T14:01:22Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4371#M10453 <HTML><HEAD></HEAD><BODY><P>http/https only should be sufficient.</P><P>The http-proxy service would allow access to other proxies, which I assume you don't want <img id="smileyhappy" class="emoticon emoticon-smileyhappy" src="https://community.checkpoint.com/i/smilies/16x16_smiley-happy.png" alt="Smiley Happy" title="Smiley Happy" /></P></BODY></HTML> Sat, 22 Jul 2017 16:58:45 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4371#M10453 PhoneBoy 2017-07-22T16:58:45Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4372#M10454 <HTML><HEAD></HEAD><BODY><P>what is the diffrence in transparent and non transparent proxy how they behave???</P></BODY></HTML> Wed, 09 Aug 2017 11:14:46 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4372#M10454 SAT_S 2017-08-09T11:14:46Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4373#M10455 <HTML><HEAD></HEAD><BODY><P>In non-transparent mode, you must explicitly define the gateway as a proxy in the browser (directly or with a proxy.pac file stored on a different webserver). Transparent mode intercepts HTTP traffic on the specified ports and interfaces and sends it through the proxy without explicit configuration on the client side.</P></BODY></HTML> Wed, 09 Aug 2017 14:29:09 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4373#M10455 PhoneBoy 2017-08-09T14:29:09Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4374#M10456 <HTML><HEAD></HEAD><BODY><P>Hi Dameon,</P><P>in non-transparent mode, the security gateway will break the http/https connection (meaning 2 connections, from client to security gateway, security gateway to http/https web server).</P><P>1. my understanding is, in order to intercept the web traffic, the security gateway should listen to tcp/8080.&nbsp;when i login to the gaia os cli expert level, i did not see a listening port at tcp/8080 (netstat -an) or is there other commands to view this?</P><P>2. using http/https proxy, the gateway show spawn off a httpd process to intercept web request at tcp/8080. so may i know what is the process name and how to view this process from <SPAN>gaia os cli expert level</SPAN>?</P><P></P><P>Thank You</P><P></P><P>TH</P></BODY></HTML> Sat, 19 Aug 2017 03:46:44 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4374#M10456 Tze_How_Tan 2017-08-19T03:46:44Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4375#M10457 <HTML><HEAD></HEAD><BODY><P style="color: #333333; background-color: #ffffff; border: 0px;">netstat doesn't show it because it's not a process that is listening on that port.</P><P style="color: #333333; background-color: #ffffff; border: 0px;">The firewall kernel intercepts the traffic and "folds" it to fwd,&nbsp;which listens on a number of ports (not tcp/8080).</P></BODY></HTML> Sat, 19 Aug 2017 04:42:44 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4375#M10457 PhoneBoy 2017-08-19T04:42:44Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4376#M10458 <HTML><HEAD></HEAD><BODY><P>Thanks Dameon for the clarification.</P></BODY></HTML> Sat, 19 Aug 2017 14:56:54 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4376#M10458 Tze_How_Tan 2017-08-19T14:56:54Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4377#M10459 <HTML><HEAD></HEAD><BODY><P>If we can not test anything through netstat, how can we verify that the proxy works correctly? And how correctly to troubleshoot it?<BR />In our case, we see logs, there are no deny actions, but the user does not have access to the Internet. On the test environment, I see this line:</P><P></P><P>[Expert@GW]# netstat | grep 8080<BR />unix 2 [ ] DGRAM 8080 /tmp/pmsock</P><P></P><P>But in another environment I don't see it, and proxy doesn't work.</P></BODY></HTML> Mon, 05 Feb 2018 15:50:55 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4377#M10459 Olga_Kuts 2018-02-05T15:50:55Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4378#M10460 <HTML><HEAD></HEAD><BODY><P class="">The most obvious first step would be to telnet to the firewall on port 8080 and see if it answers.</P><P class="">If it doesn't answer, then it might be a configuration issue or it might be something else.</P><P class="">Worth engaging the TAC in any case.</P></BODY></HTML> Mon, 05 Feb 2018 16:05:28 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4378#M10460 PhoneBoy 2018-02-05T16:05:28Z https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4379#M10461 <HTML><HEAD></HEAD><BODY><P>I am a bit puzzled by the behavior of Transparent Proxy:</P><P></P><P><IMG class="image-1 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/62919_pastedImage_1.png" style="width: 620px; height: 569px;" /></P><P></P><P>And yet, I could not verify that the proxy is working.</P><P>There are no log entries signifying its utilization and online proxy checkers do not indicate that the proxy is being used:</P><P><IMG class="image-2 jive-image" src="https://community.checkpoint.com/legacyfs/online/checkpoint/62920_pastedImage_2.png" style="width: 620px; height: 441px;" /></P><P>I have enabled the headers for explicit purpose of identifying that the proxy is working, but do not see any confirmations to that effect.&nbsp;</P></BODY></HTML> Wed, 07 Feb 2018 15:37:42 GMT https://community.checkpoint.com/t5/General-Topics/How-to-configure-Check-Point-Security-Gateway-as-HTTP-HTTPS/m-p/4379#M10461 Vladimir 2018-02-07T15:37:42Z