Not supported in Transparent Proxy configuration when the HTTPS traffic ports are configured in the 'ports' section of the proxy configuration.

That just means we can't transparently proxy HTTPS. Which makes sense because you would need to to HTTPS Inspection to do it properly.

HTTPS traffic

Supported in Non-Transparent Proxy configuration.

This is because in an explicit proxy mode, the actual connect message is in cleartext (e.g. CONNECT https://www.google.com HTTP/1.1).

We can allow/block traffic based on the actual destination in this case.

I've configured WPAD via DHCP and serve a central PAC file which excludes the security gateway. Workstations subsequently use an explicit proxy configuration but UserCheck redirection is not working in Google Chrome, Edge and Internet Explorer. Is this an issue I should open with TAC or do I need to do something to get the browser to honor the redirect?

The following is a packet capture from the office router sitting in between the workstation and the security gateway:

The browser appear to simply ignored the response. I'm able to see the User Check message if I manually type it in to the browser and it's not sent to the security gateway via the proxy protocol.

PS: Running R80.10 management and security gateway.

It might be worth a TAC case, but we are sending a redirect-type message as we should.

Never seen a 303 error before but it kind of makes sense since it's neither a "temporary" or "permanent" redirect. 

What gateway are you expecting the user check from? If remote, its’ user check URL should also be made accessible, else your workstation may be attempting to reach it via the local one.

Directly from the security gateway at the moment:

  internet --- firewall --- PC

We would like to present User Check notifications for secure sites, without enabling HTTPS inspection and understood R80.10 to be able to do this when configuring an explicit proxy.

David,

please provide a topology information describing PC, both gateways, any routers between them, etc..

Your traffic may be going from PC to secure site via remote gateway (proxy), but when redirected, points to the local gateway for the access to the UserCheck URL. 

Hi Vladimir,

The test case is extremely simple, we have a security gateway at the perimeter of our network (100.127.254.1/30), which interfaces with a router (100.127.254.2/30), which is the gateway for the LAN (192.168.5.254/23). A workstation (192.168.5.12/23) attempting to navigate to a site who's category is blocked and configured to display a User Check notice only redirects to the notification page when using plain HTTP connections.

I understood R80.10 to be able to redirect secure browsing (HTTPS) requests when workstations are configured with an explicit proxy. We subsequently configured the security gateway as a non-transparent proxy, set the proxy port as 3128 and configured a workstation to use the explicit proxy (100.127.254.1:3128).

Using Internet Explorer 11, Edge or Google Chrome and navigating to a non-secure site results in the browser displaying the User Check page but browsing to blocked HTTPS sites results in a connection error being displayed, instead of the User Check page.

P.S. This is not a vSEC implementation, though. I've just piggybacked on the thread as this distinction seem immaterial in my case. 

P.S.S. Is there a reason you are asking about App Control functionality with proxy in the mix?

Will proxy somehow impede the App Control ?

As far as I know, explicit proxy connections are not synchronized. 

Thanks for reply.

But is there any documentary evidence of this?

In proxy limitations I see that only on 41000 / 61000 Security System proxy connections will be dropped during failovers (due to the fact that such connections are handled as a Local Connection, which has no backup).

I see what you mean, as it's explictly listed as "not supported" for Scalable Platforms (but not regular ones) here: How to configure Check Point Security Gateway as HTTP/HTTPS Proxy 

In which case, if you're having issues with this, it's worth a TAC case to investigate further.

Are you running them in a transparent or non-transparent mode? 

Do you have HTTPS inspection enabled?

Yes, I have HTTPS Inspection enable and non-transparent mode. The web browsers with pacfile script.

Are you missing some of the information or is there nothing at all logged for users accessing sites via proxies?

Is IA enabled on both, the gateways as well as on management? 

Yes the IA is enabled on both, and some access not show the user from IA only the gateway in source field... I think its related two connections was established  one client to firewall and other firewall to destination site.

We have another problem too when use the proxy, some access not showing the url destination in "Resource field", I think to use the proxy feature is not better idea.

I do recall encountering similar issues in the past, some of them may even be listed in this thread.

Did you try it with these settings enabled in the HTTP/HTTPS Proxy / Advanced properties?

You may not want to leave those permanently turned-on, but may be it will help the gateways track the decoupled log events better.

I really would like for someone from Check Point to comment on the issue of tracking web access via proxies with clearly identified resources.

To log all URLs, the rule that matches must be set to track with extended log.

If this is not happening, please open a TAC case so the issue can be investigated.

I can confirm that the proxy connections are not being logged properly.

with the layer's blades being:

And the gateway configured:

Proxy functionality verified:

Log's Resource and the URL columns remain empty:

Please open SR with TAC and include in it reference to this thread (you can include the link to my post with details directly, so that they will not be searching for it). Chose severity of the case to reflect how badly it affects your production environment.

Reply here with the SR # to enable forum curators collaborate with TAC and R&D and keep all of us updated on the progress.

cross-referencing this thread:

HTTPS inspection real life examples and caveats in R77.30 and R80.10 

As I showed in the screenshots below I believe using the CP as a proxy works perfectly fine for me.

Possibly the findings from this chat that Resource tracking doesn't work is because of a bug (?) that there are two "Resource" columns (see screenshot above) and the one that is displayed in the previous screenshots was the wrong one?

• Advanced

  You can configure proxy headers by clicking on Advanced... button.

  • Proxy related headers - By default, the HTTP header contains the "Via" proxy related header. Clear this checkbox if you do not want to include it.
  • X-Forward-For header (original client source IP address) - check this box to include the actual source IP address in the HTTP.
    This header must be configured, if traffic will be forwarded to Identity Awareness Security Gateways that require this information for user identification.

• Logging

  The Security Gateway opens two connections (one connection with the client and one connection with the actual destination server), but only the Firewall blade can log both connections.
  Other blades show only the connection between the client and the Security Gateway.
  The "Destination" field of the log only shows the Security Gateway and not the actual destination server.
  The "Resource" field shows the actual destination.

That's it ... The X-forward and Log full are configured too...

Hmm.. does it work now or are you simply saying that those settings are enabled already, but you are still having problems with logging?

Hi Vladimir

It was already set up and it does not work. Because this I will deactivate this feature.

Thanks.

I'll try to replicate it in mu lab at some point and post the discoveries here.

Have you opened the SR with TAC?

If yes, please reply with the case #, so that CP guys can follow up on it.