This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
the_rock
MVP Diamond
MVP Diamond
‎2026-02-13 02:59 PM
Jump to solution

Getting hit count on https inspection outbound policy

Hey guys,

Happy weekend 🙂

Apologies if I posted this in wrong space, but could not find management any longer listed anywhere.

Anywho, Im sure I asked this many times before, but since people CONSTANTLY keep asking me, I wanted to bring it up once more. Is there any way to somehow get a hit count enabled for https outbound inspection policy? 

I tried writting a script, but no matter what I do, just does not give me what Im looking for.

Thoughts?

Tx as always for helping.

ExactlyCorrectGIF.gif

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
‎2026-02-14 05:27 AM
Jump to solution

I did some search online and found out this is indeed implemented in R82.10, which I did confirm with demo smart console. Gateway would need to be on that version.

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"

View solution in original post

0 Kudos
9 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2026-02-14 03:17 AM
Jump to solution

Open an RFE and ask your customers to do the same in consultation with their SE.

https://usercenter.checkpoint.com/ucapps/rfe/

CCSM R77/R80/ELITE
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-14 04:11 AM
In response to Chris_Atkinson
Jump to solution

Hey Chris,

I did that while back actually, but never received any feedback about it. I will keep trying and see if I can somehow make it work.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2026-02-14 03:55 PM
In response to the_rock
Jump to solution

This slipped past me as well, as you say it's mentioned in the release notes for R82.10

https://sc1.checkpoint.com/documents/R82.10/WebAdminGuides/EN/CP_R82.10_SecurityManagement_AdminGuid...

CCSM R77/R80/ELITE
the_rock
MVP Diamond
MVP Diamond
‎2026-02-14 03:58 PM
In response to Chris_Atkinson
Jump to solution

All good brother...none of us are supermen/AIs/robots 😁

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-14 05:27 AM
Jump to solution

I did some search online and found out this is indeed implemented in R82.10, which I did confirm with demo smart console. Gateway would need to be on that version.

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
genisis__
MVP Silver
MVP Silver
‎2026-02-14 05:52 AM
In response to the_rock
Jump to solution

Funny - I've been looking at HTTPs inspection recently and wanted exactly the same thing i.e hitcount on outbound https policy.

Now - may not be specific to this thread, but the fact you need a SubCA certificate to do HTTPs inspect was also a challenge if I wanted this signed by the clients PrivateCA, basically there is no way they would do that.

I have however created a PrivateCA certificate using OpenSSL (in this way I can add more values to it), and then created a Server Certificate from this with SANs;  This is then used for UserCheck.

In this way only the PrivateCA's public cert needs to be imported into the end users devices.

Happy to share the commands used for OpenSSL with the exact parameters that worked for me (Clearly changing the values though).

When testing the only issue I've seen, which is odd, was with cnn.com (have a TAC case open for this).

my HTTPs inspection policy also has all the updateable object with'bypass' in them, as well for Bypass. The SK related to this need to be updated with these additional value as its not been updated since around 2022 (send feedback on this to Checkpoint, via the SK).

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2026-02-14 05:55 AM
In response to genisis__
Jump to solution

Hey mate,

I tried so many times to see if there is guidbedit setting that can be modified to make this work, but no matter what I try, does not work. O well, now we know its present in R82.10. I still wont give up, will try to make it work on my lab. My mgmt is R82, but cluster is still R81.20, thats cluster where I have my lab win 11 machine "subjected" to ssl inspection.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
genisis__
MVP Silver
MVP Silver
‎2026-02-16 02:15 PM
In response to the_rock
Jump to solution

Managed to figure out why cnn.com was not working, Checkpoint has not loaded the Chain certificate into the trust store, so I loaded it in the custom trust store and it worked.
I found a few others and reported them all to Checkpoint TAC so they can all be considered for the next certificate package update.

the_rock
MVP Diamond
MVP Diamond
‎2026-02-16 02:54 PM
In response to genisis__
Jump to solution

Thats great, thanks for that, @genisis__ 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events