https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223654#M37276 <P>Yep, agree, ssl inspection is best in R81.20, no doubt about it. So far, R82 EA seems okay, but lets wait till its GA.</P> <P>Andy</P> Wed, 14 Aug 2024 13:41:39 GMT the_rock 2024-08-14T13:41:39Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223264#M37182 <P>I want to enable HTTPS inspection to enable DPI in the maestro environment. Before that, I need to clear some queries.</P><P>1. If HTTPS inspection is enabled then what is the impact on CPU+Memory utilization?<BR />2. Is it possible to install various types of certificates like wildcard, SSL, and so on for various services?<BR />3. If I enable the HTTPS inspection blade, does it automatically inspect both inbound and outbound traffic? If yes, then is there any option to separate?</P><P>Please provide the official document/SK regarding these queries. Thanks</P> Sun, 11 Aug 2024 11:37:35 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223264#M37182 maxtaan 2024-08-11T11:37:35Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223266#M37183 <P>We now publish HTTPS numbers on the datasheets for 9000 / 19200 / 29200 appliances.</P> <P>Inbound vs outbound is controlled separately, please refer to the documentation:</P> <P><A href="https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/HTTPS-Inspection.htm" target="_blank">https://sc1.checkpoint.com/documents/R81.20/WebAdminGuides/EN/CP_R81.20_SecurityManagement_AdminGuide/Content/Topics-SECMG/HTTPS-Inspection.htm</A></P> <P><A href="https://support.checkpoint.com/results/sk/sk65123" target="_blank">https://support.checkpoint.com/results/sk/sk65123</A></P> <P><A href="https://support.checkpoint.com/results/sk/sk108202" target="_blank">https://support.checkpoint.com/results/sk/sk108202</A></P> Sun, 11 Aug 2024 12:04:58 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223266#M37183 Chris_Atkinson 2024-08-11T12:04:58Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223272#M37189 <P><A href="https://support.checkpoint.com/results/sk/sk65123" target="_blank">https://support.checkpoint.com/results/sk/sk65123</A></P> <P><A class="checkpoint_toggle" target="_blank">Is there a performance impact when enabling HTTPS Inspection on the gateway?</A></P> <DIV id="Q9"> <BLOCKQUOTE>HTTPS Inspection requires the Security Gateway to perform extra SSL work: <UL> <LI>SSL handshake with the secure web site and with the client browser.</LI> <LI>Decrypt &amp; re-encrypt all SSL traffic, to be able to inspect it.</LI> </UL> <BR />This has some performance impact on SSL capacity and latency, but in normal situations the end user should not be aware of it. <P class="1723402720486">&nbsp;<A href="https://support.checkpoint.com/results/sk/sk108202" target="_blank">https://support.checkpoint.com/results/sk/sk108202</A></P> <H3 id="Performance">(Part 4) Performance</H3> <DIV><A class="checkpoint_toggle" target="_blank">Show / Hide this section</A><BR /> <DIV id="Toggle_Part_4"> <BLOCKQUOTE> <P>HTTPS Inspection creates additional load on Security Gateway's CPU and increased RAM usage due to these reasons:</P> <P>TLS termination, encrypt/decrypt and active TCP termination.</P> <P>Additional traffic is inspected by security blades.</P> <P>In general, the more blades and security features, the higher the additional load.</P> </BLOCKQUOTE> </DIV> </DIV> <P>&nbsp;</P> </BLOCKQUOTE> </DIV> Sun, 11 Aug 2024 19:06:31 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223272#M37189 Lesley 2024-08-11T19:06:31Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223281#M37197 <P>Thanks,&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/73547">@Lesley</a>&nbsp; , You have answered only one question from the three that I raised. Can you please answer the rest two the way you answered the first one?</P> Mon, 12 Aug 2024 05:57:27 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223281#M37197 maxtaan 2024-08-12T05:57:27Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223366#M37205 <P>The rest you can find in the links that Chris posted above</P> Mon, 12 Aug 2024 17:05:50 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223366#M37205 Lesley 2024-08-12T17:05:50Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223369#M37206 <P><SPAN>1. If HTTPS inspection is enabled then what is the impact on CPU+Memory utilization?</SPAN></P> <P>For powerful firewalls, you wont see much impact at all.</P> <P><BR /><SPAN>2. Is it possible to install various types of certificates like wildcard, SSL, and so on for various services?</SPAN></P> <P>Yes, they are, see point 23</P> <P><A href="https://support.checkpoint.com/results/sk/sk65123" target="_blank">https://support.checkpoint.com/results/sk/sk65123</A></P> <P><BR /><SPAN>3. If I enable the HTTPS inspection blade, does it automatically inspect both inbound and outbound traffic? If yes, then is there any option to separate?</SPAN></P> <P><SPAN>No it does NOT, they are totally separate and inbound inspection needs its own cert (.p12 format) imported.</SPAN></P> <P><SPAN>Andy</SPAN></P> Mon, 12 Aug 2024 17:47:46 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223369#M37206 the_rock 2024-08-12T17:47:46Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223404#M37216 <P>Outbound inspection requires a CA certificate trusted by your clients to be used.<BR />(Which means it cannot be used for people outside your organization)</P> <P>For inbound inspection, you use the same certificate as your server.<BR />If you're protecting multiple sites using the same public IP, you will need to use a single certificate that covers all the relevant FDQNs.</P> Mon, 12 Aug 2024 22:22:46 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223404#M37216 PhoneBoy 2024-08-12T22:22:46Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223415#M37219 <P><a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/88297">@maxtaan</a>&nbsp;</P> <P>To add to what&nbsp;<a href="https://community.checkpoint.com/t5/user/viewprofilepage/user-id/7">@PhoneBoy</a>&nbsp;said, you can also refer to my post below, hope it helps.</P> <P>Best and if you need help, happy to help you in the lab with it, as I have fully working R81.20 and R82 ssl inspection lab.&nbsp;</P> <P>Andy</P> <P><A href="https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-tip/m-p/219139" target="_blank">https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-tip/m-p/219139</A></P> Mon, 12 Aug 2024 22:53:27 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223415#M37219 the_rock 2024-08-12T22:53:27Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223653#M37275 <P>Regarding point 1 this is subjective and version relevant, less of&nbsp; an issue as of R81.20 but not insignificant by any means.</P> Wed, 14 Aug 2024 13:40:08 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223653#M37275 Chris_Atkinson 2024-08-14T13:40:08Z https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223654#M37276 <P>Yep, agree, ssl inspection is best in R81.20, no doubt about it. So far, R82 EA seems okay, but lets wait till its GA.</P> <P>Andy</P> Wed, 14 Aug 2024 13:41:39 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-inspection-utilization-impact/m-p/223654#M37276 the_rock 2024-08-14T13:41:39Z