Showing results for 
Search instead for 
Did you mean: 
Create a Post

HTTPS Decryption


I am looking to see if anyone has any suggestions/ideas on best ways for HTTPS web traffic etc.

At present I have a Cisco Proxy Appliance used for web traffic (on the inside of the Firewall) and I decrypt web traffic here.  The Cisco Proxy Appliance can then allow/block the relevant traffic.

From the Check Point, I want to use this in a basic form to do additional blocking that the Cisco Proxy Appliance is unable to do ie block Dropbox/One Drive, Yahoo Messenger, etc) but at present this is not working fully as I don't have HTTPS Inspection enabled.

I am looking for any suggestions/ideas if anyone else has the same type of setup?

Ways I could do this at the moment would be:

1 - decrypt Cisco Proxy Appliance traffic and leave Firewall as is (Cisco could identify all traffic but Firewall wouldn't)

2 - no decrypt on Cisco Proxy Appliance and decrypt all traffic at Firewall (Cisco couldn't identify all traffic but Firewall could)

3 - decrypt Cisco Proxy Appliance traffic and decrypt Firewall traffic (Cisco and Firewall could identify all traffic however this may have performance impact)


0 Kudos
3 Replies

Re: HTTPS Decryption

Why are you maintaining two seperate security solutions?
0 Kudos

Re: HTTPS Decryption

The Cisco Proxy Appliance is our corporate standard product for Web Filtering and the reporting is also very detailed. I have in the past tried to use the Check Point URL/App Control for filtering but had issues where some sites would be allowed which I would not want and vice versa. I also am unsure why Check Point categorize websites as multiple categories (example, Categories: Sex, Nudity, Entertainment). This was causing issues in creating a base policy for users which didn't work for us.

I was just seeing if anyone else had a main filtering product but also used the Check Point for more granular filtering.
0 Kudos

Re: HTTPS Decryption

I do not think that pairing your Cisco appliance with Check Point gateway is the optimal solution.

I'd have all traffic decrypted analyzed and blocked or allowed by Check Point.

"One to many" dedicated SSL decryptors/re-encryptors are a different story, but we are talking about IXIA, Gigamon, F5 or Symantec SSL in these cases.

0 Kudos