https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Categorization-on-R77-30/m-p/37381#M7923 <HTML><HEAD></HEAD><BODY><P>By default, the "Website Categorization Mode" is set to "Background" which means that initial web requests will be allowed even if categorization has not been obtained &amp; cached yet.&nbsp; If you set it to "Hold" (see attached screenshot) the user will not be able to start loading content until it has been categorized (and possibly blocked).&nbsp; If you go this route make sure that all DNS servers configured in the firewall's Gaia OS config are defined properly and responding quickly, or users may suffer long delays trying to load up a new website whose categorization has not yet been cached by the firewall.</P><P></P><P>In regards to the delay incurred by HTTPS Inspection itself (as opposed to the categorization process discussed above), this feature does cause a process space "trip" on the firewall in R80.10 and earlier.&nbsp; Techniques to minimize the performance impact of the trip in regards to HTTPS Inspection are covered extensively in Chapter 10 of the second edition of my book, and can be roughly summarized as:</P><P></P><UL><LI>Make sure Gaia is running in 64-bit mode</LI><LI>Use firewall hardware whose processor supports AES-NI</LI><LI>Tune the firewall to ensure sufficient free CPU cycles are available on the Firewall Worker cores for the wstlsd/pkxld processes</LI><LI>Avoid use of "Any" in the HTTPS Inspection Policy</LI><LI>Load the latest GA jumbo hotfix</LI><LI>Beware using APCL Limits in conjunction with HTTPS Inspection (sk70600)</LI></UL><P></P><P>--<BR /> Second Edition of my "Max Power" Firewall Book<BR /> Now Available at <A href="http://www.maxpowerfirewalls.com" target="_blank">http://www.maxpowerfirewalls.com</A></P><P></P><P></P><P><IMG __jive_id="66979" alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/66979_categorize.jpg" /></P></BODY></HTML> Mon, 09 Jul 2018 14:11:54 GMT Timothy_Hall 2018-07-09T14:11:54Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Categorization-on-R77-30/m-p/37380#M7922 <HTML><HEAD></HEAD><BODY><P>Dear all,</P><P></P><P>I've noticed a strange behavior when enabling HTTPS inspection, would like to confirm if anyone has seen a similar problem?</P><P></P><P>When HTTPS inspection is enabled, page blocking by categorization takes much longer to apply. For e.g. when accessing betting sites over HTTPS or pages with image galleries, the page loads fine and its contents load. Smartview Tracker shows the page contents as blocked but they are loading fine on browser. After retrying approx 30 seconds to 1 minute later, the page is then correctly blocked and Usercheck page is shown.</P><P></P><P>Is it normal for categorization to take longer on HTTPS inspection or for pages to load successfully for so long? Is there any way to troubleshoot what is happening to cause this delay?</P><P></P><P>Without HTTPS inspection, pages are blocked almost instantly. Maybe the first time they load partially (images etc don't load) but immediately after the first refresh they are fully blocked (no Usercheck which is normal). With HTTPS inspection, even after the first few refreshes the pages still load. This has been tested with various sites and different categories and the behavior is same.</P></BODY></HTML> Mon, 09 Jul 2018 10:29:01 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Categorization-on-R77-30/m-p/37380#M7922 Bharat_B 2018-07-09T10:29:01Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Categorization-on-R77-30/m-p/37381#M7923 <HTML><HEAD></HEAD><BODY><P>By default, the "Website Categorization Mode" is set to "Background" which means that initial web requests will be allowed even if categorization has not been obtained &amp; cached yet.&nbsp; If you set it to "Hold" (see attached screenshot) the user will not be able to start loading content until it has been categorized (and possibly blocked).&nbsp; If you go this route make sure that all DNS servers configured in the firewall's Gaia OS config are defined properly and responding quickly, or users may suffer long delays trying to load up a new website whose categorization has not yet been cached by the firewall.</P><P></P><P>In regards to the delay incurred by HTTPS Inspection itself (as opposed to the categorization process discussed above), this feature does cause a process space "trip" on the firewall in R80.10 and earlier.&nbsp; Techniques to minimize the performance impact of the trip in regards to HTTPS Inspection are covered extensively in Chapter 10 of the second edition of my book, and can be roughly summarized as:</P><P></P><UL><LI>Make sure Gaia is running in 64-bit mode</LI><LI>Use firewall hardware whose processor supports AES-NI</LI><LI>Tune the firewall to ensure sufficient free CPU cycles are available on the Firewall Worker cores for the wstlsd/pkxld processes</LI><LI>Avoid use of "Any" in the HTTPS Inspection Policy</LI><LI>Load the latest GA jumbo hotfix</LI><LI>Beware using APCL Limits in conjunction with HTTPS Inspection (sk70600)</LI></UL><P></P><P>--<BR /> Second Edition of my "Max Power" Firewall Book<BR /> Now Available at <A href="http://www.maxpowerfirewalls.com" target="_blank">http://www.maxpowerfirewalls.com</A></P><P></P><P></P><P><IMG __jive_id="66979" alt="" class="image-1 jive-image j-img-original" src="https://community.checkpoint.com/legacyfs/online/checkpoint/66979_categorize.jpg" /></P></BODY></HTML> Mon, 09 Jul 2018 14:11:54 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Categorization-on-R77-30/m-p/37381#M7923 Timothy_Hall 2018-07-09T14:11:54Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Categorization-on-R77-30/m-p/37382#M7924 <HTML><HEAD></HEAD><BODY><P>Hello Tim, thank you for the answer. To reply to the points:</P><P></P><UL style="color: #333333; background-color: #ffffff; border: 0px; padding: 0px 0px 0px 30px;"><LI style="border: 0px; font-weight: inherit; margin: 0.5ex 0px;">Make sure Gaia is running in 64-bit mode<UL><LI style="border: 0px; font-weight: inherit; margin: 0.5ex 0px;">Already in 64-bit mode</LI></UL></LI><LI style="border: 0px; font-weight: inherit; margin: 0.5ex 0px;">Use firewall hardware whose processor supports AES-NI<UL><LI style="border: 0px; font-weight: inherit; margin: 0.5ex 0px;">Hardware is 5400, doesn't look like it supports AES-NI as per&nbsp;<A _jive_internal="true" href="https://community.checkpoint.com/thread/6617-aes-ni">This Community post</A></LI></UL></LI><LI style="border: 0px; font-weight: inherit; margin: 0.5ex 0px;">Tune the firewall to ensure sufficient free CPU cycles are available on the Firewall Worker cores for the wstlsd/pkxld processes<UL><LI style="border: 0px; font-weight: inherit; margin: 0.5ex 0px;">Firewall is free enough, running at approx 15% CPU</LI></UL></LI><LI style="border: 0px; font-weight: inherit; margin: 0.5ex 0px;">Avoid use of "Any" in the HTTPS Inspection Policy<UL><LI style="border: 0px; font-weight: inherit; margin: 0.5ex 0px;">Any in HTTP/HTTPS to inspect after the bypass rules. Is this relevant?</LI></UL></LI><LI style="border: 0px; font-weight: inherit; margin: 0.5ex 0px;">Load the latest GA jumbo hotfix<UL><LI style="border: 0px; font-weight: inherit; margin: 0.5ex 0px;">Already installed T302</LI></UL></LI><LI style="border: 0px; font-weight: inherit; margin: 0.5ex 0px;">Beware using APCL Limits in conjunction with HTTPS Inspection (sk70600)<UL><LI style="border: 0px; font-weight: inherit; margin: 0.5ex 0px;">Checked</LI></UL></LI></UL><P></P><P>While the blocking eventually happens, the management is not very confident of the solution and believe some blocked content may be slipping through. The worse part is that the logs show the content as "blocked" but the page is actually loading fine in the background for the first few minutes.</P></BODY></HTML> Thu, 12 Jul 2018 07:04:22 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Categorization-on-R77-30/m-p/37382#M7924 Bharat_B 2018-07-12T07:04:22Z https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Categorization-on-R77-30/m-p/37383#M7925 <HTML><HEAD></HEAD><BODY><P>So is content still "slipping through" even with website categorization set to Hold?&nbsp; It shouldn't be and anything you are seeing to the contrary could just be cached data in the browser.</P><P></P><P>The main reason to avoid using "Any" in your HTTPS Inspection Policy is to keep LAN-speed traffic between internal networks from accidentally getting sucked into HTTPS Inspection.</P><P></P><P>It also sounds like the 5400 with its 2 cores may be a bit underpowered for what you are trying to do.&nbsp; What does the output of the "enabled_blades" and "free -m" commands run on the firewall show?</P><P></P><P>--<BR /> Second Edition of my "Max Power" Firewall Book<BR /> Now Available at <A href="http://www.maxpowerfirewalls.com" target="_blank">http://www.maxpowerfirewalls.com</A></P></BODY></HTML> Thu, 12 Jul 2018 14:29:34 GMT https://community.checkpoint.com/t5/General-Topics/HTTPS-Inspection-Categorization-on-R77-30/m-p/37383#M7925 Timothy_Hall 2018-07-12T14:29:34Z