https://community.checkpoint.com/t5/General-Topics/Replace-out-squid-cluster-with-HTTP-HTTPS-proxying-on-our/m-p/63454#M12869 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7210">@Falk</a>&nbsp;</P><P>Hope you are doing fine, based on your use case you can totally do this on Check Point Firewalls. Personally I have done many migrations from Squid to CHKP.</P><P>A couple of advises:</P><UL><LI>Based on your use case you will need NGTP licensing to enforce Access rules, URL Filtering and Application control, Anti-Bot.<UL><LI>Stop connection to non http/https ports: Firewall blade - Access Policy</LI><LI>Enforce web browsing policies and quality of service (IE: No streaming for certain users, no pornography): URL Filtering &amp; Application Control</LI><LI>Prevent high risk web browsing: URL Filtering &amp; Application Control</LI><LI>Prevent C&amp;C: Anti Bot.</LI></UL></LI><LI>You can deploy your gateway in Web Proxy mode (You have to setup proxy address in user's browsers) or directly by processing traffic. In my personal experience I had better enforcement results by only enabling URL Filtering / App control on the gateway and then routing traffic from the host through the gateway without setting anything on the browser.</LI><LI>Keep in mind that you cannot do load balance as reverse proxy, not as far as I know at least.</LI></UL><P>Hope it helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P> Mon, 23 Sep 2019 15:31:59 GMT FedericoMeiners 2019-09-23T15:31:59Z https://community.checkpoint.com/t5/General-Topics/Replace-out-squid-cluster-with-HTTP-HTTPS-proxying-on-our/m-p/63408#M12860 <P>Hi,</P><P>We are today running a couple of squids as forwarding proxies for our internal servers.<BR />So that they do not have direct access to the internetz.&nbsp;</P><P>And now we are in the process of replace them with newer ones, then I read that you can enable HTTP/HTTPS proxy on our R80.<BR /><BR />Do you have any experience to use it as an non-transparent proxy, like in our squid case?<BR />It's only for logging and stop connections to bad actors on non http/https ports. I know it's a rather obsolete way beq all c&amp;c and such is using https anyhow <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span>&nbsp;<BR /><BR />Thougts?</P><P>--<BR />Regards Falk</P> Mon, 23 Sep 2019 09:04:07 GMT https://community.checkpoint.com/t5/General-Topics/Replace-out-squid-cluster-with-HTTP-HTTPS-proxying-on-our/m-p/63408#M12860 Falk 2019-09-23T09:04:07Z https://community.checkpoint.com/t5/General-Topics/Replace-out-squid-cluster-with-HTTP-HTTPS-proxying-on-our/m-p/63419#M12861 <P>I would not suggest to use the CP GW Proxy Server instead of Squid &amp; Co. as the limitations are severe, see</P> <P><A class="cp_link sc_ellipsis" href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk110013&amp;partition=Advanced&amp;product=Security" target="_blank">sk110013: How to configure Check Point Security Gateway as HTTP/HTTPS <STRONG>Proxy</STRONG></A>&nbsp;for details !</P> <P><SPAN>Main point apart from limitations: Check Point HTTP/HTTPS proxy is </SPAN><EM><STRONG>not</STRONG></EM><SPAN> a caching proxy (it does not cache commonly visited web pages to provide faster local access to hosts on the LAN).</SPAN></P> Mon, 23 Sep 2019 10:20:49 GMT https://community.checkpoint.com/t5/General-Topics/Replace-out-squid-cluster-with-HTTP-HTTPS-proxying-on-our/m-p/63419#M12861 G_W_Albrecht 2019-09-23T10:20:49Z https://community.checkpoint.com/t5/General-Topics/Replace-out-squid-cluster-with-HTTP-HTTPS-proxying-on-our/m-p/63454#M12869 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7210">@Falk</a>&nbsp;</P><P>Hope you are doing fine, based on your use case you can totally do this on Check Point Firewalls. Personally I have done many migrations from Squid to CHKP.</P><P>A couple of advises:</P><UL><LI>Based on your use case you will need NGTP licensing to enforce Access rules, URL Filtering and Application control, Anti-Bot.<UL><LI>Stop connection to non http/https ports: Firewall blade - Access Policy</LI><LI>Enforce web browsing policies and quality of service (IE: No streaming for certain users, no pornography): URL Filtering &amp; Application Control</LI><LI>Prevent high risk web browsing: URL Filtering &amp; Application Control</LI><LI>Prevent C&amp;C: Anti Bot.</LI></UL></LI><LI>You can deploy your gateway in Web Proxy mode (You have to setup proxy address in user's browsers) or directly by processing traffic. In my personal experience I had better enforcement results by only enabling URL Filtering / App control on the gateway and then routing traffic from the host through the gateway without setting anything on the browser.</LI><LI>Keep in mind that you cannot do load balance as reverse proxy, not as far as I know at least.</LI></UL><P>Hope it helps <span class="lia-unicode-emoji" title=":slightly_smiling_face:">🙂</span></P><P>&nbsp;</P> Mon, 23 Sep 2019 15:31:59 GMT https://community.checkpoint.com/t5/General-Topics/Replace-out-squid-cluster-with-HTTP-HTTPS-proxying-on-our/m-p/63454#M12869 FedericoMeiners 2019-09-23T15:31:59Z