This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
startlook
Explorer
‎2025-11-19 06:45 AM
Jump to solution

HTTPS Inspections for traffic in the VPN tunnel

Good afternoon!

We use a distributed network of CheckPoint 1535 devices connected in a mesh VPN. All devices are managed via CPSM.
When enabling the HTTPS Inspections policy on devices in the regions, traffic destined for the central office network is not included in the HTTPS Inspections policy. In the logs, these requests display the error: HTTPS Validation: The probe was unable to establish a TCP connection to the destination. Description: Bypassing request as configured in the engine settings of HTTPS Inspection.
Requests from the central office network that should not be routed to the VPN correctly traverse the HTTPS Inspections policy chain.
 The internet access chain for the client looks like this (The Bypass option is enabled in the HTTPS Inspection rules for such traffic):
Client -> CP1535Branch -> meshVPN -> CP3600HQ -> HQ-Service (HTTPS)
In this chain, I get the error:

HTTPS Validation: The probe was unable to establish a TCP connection to the destination

Description: Bypassing request as configured in engine settings of HTTPS Inspection

Client -> CP1535Branch-> Internet
HTTPS works correctly in this chain.

How can I diagnose this problem? Could this be because the regional office's CheckPoint is attempting to access the central office nodes without encapsulating the traffic in the VPN?

Preview file
18 KB
Preview file
13 KB
0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2025-11-20 08:10 AM
Jump to solution

Part of performing HTTPS Inspection requires the gateway to reach out to the destination server to verify SNI.
If the gateway can't do this, you'll get this error.

If the gateway is attempting to reach out to the server without going through the VPN, you should clearly see this in a tcpdump on the external interface.
If the destination is in the encryption domain, it should go over the VPN.
If it isn't it might be a bug and TAC should be engaged.

View solution in original post

0 Kudos
(1)
4 Replies
the_rock
MVP Diamond
MVP Diamond
‎2025-11-19 08:06 AM
Jump to solution

Are any of those sites not inspected included in bypass policy?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
startlook
Explorer
‎2025-11-19 10:34 PM
In response to the_rock
Jump to solution

Hello, Andy.
Yes, the bypass policy fully specifies the branch network (source) and the head office network (destination). The problem is that traffic from a host in a remote office does not fall into this rule, but is marked as "Error" with the error "The probe was unable to establish a TCP connection to the destination."

I suspect that the node on the network at the headquarters is unreachable by the CheckPoint device itself on the branch. When the HTTPS Inspections policy is enabled, the device itself sends a request to the node on behalf of the client. This node is unreachable via VPN from the device itself (it's only reachable by clients behind it). Could this be the cause of the problem? Do I need to somehow change the VPN Domain settings so that nodes on the headquarters network can be reached from the branch  device itself CheckPoint?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2025-11-20 04:04 AM
In response to startlook
Jump to solution

In my mind, as long as that node is subjected to its traffic being inspected by the CP firewall and right inspection certs are trueted on it, there is no reason why this would not work.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2025-11-20 08:10 AM
Jump to solution

Part of performing HTTPS Inspection requires the gateway to reach out to the destination server to verify SNI.
If the gateway can't do this, you'll get this error.

If the gateway is attempting to reach out to the server without going through the VPN, you should clearly see this in a tcpdump on the external interface.
If the destination is in the encryption domain, it should go over the VPN.
If it isn't it might be a bug and TAC should be engaged.

0 Kudos
(1)

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events