https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Probe-Bypass-on-R80-20-should-I-enable/m-p/31342#M6532 <HTML><HEAD></HEAD><BODY><P class="">Hi Alessandro</P><P class="">Is it SNI domains your are trying to access?</P><P class="">Did you try to analyze and inspect domains via https://www.ssllab.com? It will show you certicate type and which encryption is enabled.</P><P class="">I had to enable some encryption protocol levels when using probe bypass.</P><P class="">Best regards</P><P class="">Kim</P></BODY></HTML> Thu, 07 Feb 2019 17:01:48 GMT Kim_Moberg 2019-02-07T17:01:48Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Probe-Bypass-on-R80-20-should-I-enable/m-p/31341#M6531 <HTML><HEAD></HEAD><BODY><P>Hello, I´m using R80.20 Take 33, when I enable the flag&nbsp;enhanced_ssl_inspection some sites don´t open in browsers like chrome (version 58 or 71)... example: <A href="http://www.uol.com,">www.uol.com,</A>&nbsp;<A href="http://www.bitcointrade.com.br">www.bitcointrade.com.br</A>...etc... any tips or sugestions?</P><P></P><P>Thank you.</P><P></P><P>Alessandro</P></BODY></HTML> Thu, 07 Feb 2019 14:02:25 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Probe-Bypass-on-R80-20-should-I-enable/m-p/31341#M6531 Alessandro_Marr 2019-02-07T14:02:25Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Probe-Bypass-on-R80-20-should-I-enable/m-p/31342#M6532 <HTML><HEAD></HEAD><BODY><P class="">Hi Alessandro</P><P class="">Is it SNI domains your are trying to access?</P><P class="">Did you try to analyze and inspect domains via https://www.ssllab.com? It will show you certicate type and which encryption is enabled.</P><P class="">I had to enable some encryption protocol levels when using probe bypass.</P><P class="">Best regards</P><P class="">Kim</P></BODY></HTML> Thu, 07 Feb 2019 17:01:48 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Probe-Bypass-on-R80-20-should-I-enable/m-p/31342#M6532 Kim_Moberg 2019-02-07T17:01:48Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Probe-Bypass-on-R80-20-should-I-enable/m-p/46725#M9031 <P>The behaviour has been changed, please look at sk104717:</P><P>&nbsp;</P><P><STRONG>Important:</STRONG></P><UL><LI>In R80.10, before Jumbo Hotfix Accumulator for R80.10&nbsp;Take 189, the probing feature is set, by default, to Fail Open.</LI><LI>From Take 189, the default behavior is changed to Fail Close.</LI><LI>You can return to the behavior as it was before Take 189, by setting bypass_on_enhanced_ssl_inspection 1</LI></UL><P><STRONG>To set the default to Fail Open:</STRONG></P><OL><LI>Run: fw ctl set int bypass_on_enhanced_ssl_inspection 1</LI><LI>In $FWDIR/modules/fwkern.conf, add this line: bypass_on_enhanced_ssl_inspection=1</LI></OL><P><STRONG>The probing feature may fail in the following scenarios (and therefore it is not recommended):</STRONG></P><UL><LI>Server requires an SNI extension in the SSL "Client hello" packet.</LI><LI>Missing cipher - The Security Gateway does not support any of the server allowed ciphers.</LI><LI>The server presents an incorrect certificate when SNI is not provided</LI></UL><P><STRONG>To disable probing (Recommended):</STRONG></P><OL><LI>Run: fw ctl set int enhanced_ssl_inspection 0</LI><LI>In $FWDIR/modules/fwkern.conf, add this line: enhanced_ssl_inspection=0</LI></OL> Wed, 13 Mar 2019 10:04:59 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Probe-Bypass-on-R80-20-should-I-enable/m-p/46725#M9031 Emanuele_Lorenz 2019-03-13T10:04:59Z