https://community.checkpoint.com/t5/General-Topics/Software-Blade-effectiveness-with-and-without-HTTPS-Inspection/m-p/261062#M44143 <P>Good to throw this into discussion with customers.&nbsp;</P> <P>There should be no reason NOT to enable https inspection.&nbsp;</P> <P>Yes it takes time to configure and yes sometimes it can give issues (like any other additional feature)&nbsp;</P> Mon, 27 Oct 2025 18:05:58 GMT Lesley 2025-10-27T18:05:58Z https://community.checkpoint.com/t5/General-Topics/Software-Blade-effectiveness-with-and-without-HTTPS-Inspection/m-p/261037#M44135 <P><A href="https://support.checkpoint.com/results/sk/sk184185" target="_self">This new Secureknowledge article,&nbsp;</A><SPAN><A href="https://support.checkpoint.com/results/sk/sk184185" target="_self">sk184185</A>, answers one very frequent question: <STRONG>Why do you want to enable HTTPS Inspection on your security GW</STRONG>s.</SPAN></P> <P><SPAN>Here is what the SK says (quoting in full):<BR /><BR /></SPAN></P> <P>Without HTTPS Inspection, the Security Gateway can only inspect metadata such as domain names and TLS certificates. Most Threat Prevention blades cannot inspect encrypted payloads. With HTTPS Inspection enabled, the gateway decrypts traffic and allows full inspection by all blades.</P> <P><STRONG>Recommendation:</STRONG><SPAN>&nbsp;</SPAN>Enable HTTPS Inspection for outbound traffic. Exclude sensitive domains such as banking sites or internal services to avoid privacy and performance issues.</P> <DIV class="warning"><STRONG>Warning:</STRONG><SPAN>&nbsp;</SPAN>HTTPS Inspection may impact performance and user privacy. Test in a lab environment before deployment.</DIV> <H3><BR />Real-World Example</H3> <DIV class="example"> <P>A user clicks a phishing link:<SPAN>&nbsp;</SPAN><CODE>example.com/login</CODE></P> <UL> <LI><STRONG>Without HTTPS Inspection:</STRONG> <UL> <LI>URL Filtering blocks known malicious domains.</LI> <LI>Anti-Bot uses reputation and traffic patterns.</LI> <LI>Encrypted payload bypasses AV/IPS.</LI> </UL> </LI> <LI><STRONG>With HTTPS Inspection:</STRONG> <UL> <LI>Zero-Phishing analyses the page and injects browser protections.</LI> <LI>AV/IPS inspect files and exploits inside the page.</LI> </UL> </LI> </UL> </DIV> <H3><BR />Blade Behavior Comparison</H3> <DIV class="table-wrapper"> <TABLE class="footnote" border="1" width="100%" cellspacing="2" cellpadding="4"> <TBODY> <TR class="SubTitle" bgcolor="#d6dff0"> <TH>Feature</TH> <TH>Without HTTPS Inspection</TH> <TH>With HTTPS Inspection</TH> <TH>Notes</TH> </TR> <TR> <TD>IPS</TD> <TD>Minimal: TLS anomalies only</TD> <TD>Full payload inspection</TD> <TD>Requires decrypted content</TD> </TR> <TR> <TD>Anti-Bot / C2 Detection</TD> <TD>DNS, traffic patterns, domain reputation</TD> <TD>Adds payload inspection for beaconing</TD> <TD>Detects hidden C2 patterns in HTTP POST/GET</TD> </TR> <TR> <TD>Anti-Bot / Reputation</TD> <TD>IP/domain reputation, TLS cert anomalies</TD> <TD>No additional benefit</TD> <TD>Reputation is metadata-driven</TD> </TR> <TR> <TD>Application Control</TD> <TD>Partial: SNI, IP ranges</TD> <TD>Full identification via payload</TD> <TD>Differentiates app functions (e.g., chat vs. video)</TD> </TR> <TR> <TD>Application Control - UserCheck</TD> <TD>Not supported</TD> <TD>Supported via HTTP redirect</TD> <TD>Requires decryption</TD> </TR> <TR> <TD>URL Filtering</TD> <TD>Domain-based filtering</TD> <TD>Granular filtering by path, parameters</TD> <TD>Blocking<SPAN>&nbsp;</SPAN><CODE>example.com/badpage</CODE><SPAN>&nbsp;</SPAN>requires decryption</TD> </TR> <TR> <TD>URL Filtering - UserCheck</TD> <TD>Not supported</TD> <TD>Supported via HTTP redirect</TD> <TD>Requires decryption</TD> </TR> <TR> <TD>Anti-Virus</TD> <TD>Limited on URL based filtering</TD> <TD>Scans files inside HTTPS</TD> <TD>Requires decrypted payload</TD> </TR> <TR> <TD>Threat Emulation</TD> <TD>Not available</TD> <TD>Extracts files for sandboxing</TD> <TD>Requires decryption</TD> </TR> <TR> <TD>Threat Extraction</TD> <TD>Not available</TD> <TD>Sanitizes active content</TD> <TD>Requires decryption</TD> </TR> <TR> <TD>Zero-Phishing</TD> <TD>Limited SNI-based enforcement (R82.10)</TD> <TD>Full page analysis and JS injection</TD> <TD>In-browser protection requires HTTPS Inspection</TD> </TR> </TBODY> </TABLE> </DIV> <P>&nbsp;</P> Mon, 27 Oct 2025 13:24:18 GMT https://community.checkpoint.com/t5/General-Topics/Software-Blade-effectiveness-with-and-without-HTTPS-Inspection/m-p/261037#M44135 _Val_ 2025-10-27T13:24:18Z https://community.checkpoint.com/t5/General-Topics/Software-Blade-effectiveness-with-and-without-HTTPS-Inspection/m-p/261054#M44140 <P>Thats super helpful.</P> Mon, 27 Oct 2025 16:47:41 GMT https://community.checkpoint.com/t5/General-Topics/Software-Blade-effectiveness-with-and-without-HTTPS-Inspection/m-p/261054#M44140 the_rock 2025-10-27T16:47:41Z https://community.checkpoint.com/t5/General-Topics/Software-Blade-effectiveness-with-and-without-HTTPS-Inspection/m-p/261062#M44143 <P>Good to throw this into discussion with customers.&nbsp;</P> <P>There should be no reason NOT to enable https inspection.&nbsp;</P> <P>Yes it takes time to configure and yes sometimes it can give issues (like any other additional feature)&nbsp;</P> Mon, 27 Oct 2025 18:05:58 GMT https://community.checkpoint.com/t5/General-Topics/Software-Blade-effectiveness-with-and-without-HTTPS-Inspection/m-p/261062#M44143 Lesley 2025-10-27T18:05:58Z