cancel
Showing results for 
Search instead for 
Did you mean: 
Post a Question

Migrating the Functionality of a dedicated Proxy Server to Check Point

Dear Mates

We currently considering changing our current Proxy Server to another system.
Since we currently have powerfull Check Point appliances, we are also considering migrating this functionality into our Check Point infrastructure.As part of the migration the requirement for the Proxy Server are mentioned below, and I would like to know if Check Point supports it with the same technology name, or if any of these functionalities are termed differently in Check Point. If Check Point supports it (which I believe so), how is it implemented in Check Point.  

1. Reverse Proxy

2. Forward Proxy

I need more technical explication as to how we achieve this in Check Point, I would be happy to be referenced to a documentation.

Thanks in advance

0 Kudos
15 Replies
Vladimir
Jade

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

Depending on what you presently have in place, this may not be a best move.

Check Point really shines in terms of inline inspection and logging. As a dedicated proxy, IMHO, it is not as good as former BlueCoat (now Symantec SG).

I'd use this functionality for consolidation purposes or to circumvent other environmental limitations, i.e. in AWS peered VPCs, but not as my first choice.

Please take a look at this thread:  , it may contain the information you may find useful for making-up your own mind on the subject.

Maarten_Sjouw
Platinum

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

Do keep in mind that when you use a forward proxy, all traffic will be handled in slow path, meaning everything is processor based handling. The simple reason for that is that you have a client that connects to the FW and then the FW creates the connection to the remote site. When there are no real reasons to use the proxy feature, don't. We have 1 customer where we needed to use it as their internal DNS server is located in another European (and language) country, then when they try to access google.com, they do not get the local language.

Another reason for them to do it this way is that they do not want IOT devices that can be connected anywhere in the LAN to be able to get updates. Yeah I know bad design of the network....

So bottomline, if you have no real reason to use a explicit proxy, don't.

Regards, Maarten
0 Kudos
Admin
Admin

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

No one has mentioned Reverse Proxy yet.

This is Mobile Access Blade functionality.

Some discussion here:

Reverse Proxy Feature of MOB (R80.10)

0 Kudos

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

Hi Dameon Welch-Abernathy Moderator

is there any  technical reason why Check Point does not provide Caching?

I would like to also know if Check Point supports Streaming Media Optimization (HTTP, RTMP, RTSP, MMS, QT).

Thanks in advance

0 Kudos
Admin
Admin

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

Because we haven't developed the functionality for it, plain and simple.

Given the amount of dynamic content on the Internet these days, the benefits you gain by caching are fairly minimal.

As for Streaming Media Optimization, this is not something we do either.

0 Kudos

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

Thanks for the reply.

0 Kudos

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

Hi again

just to give you an update as to why I am asking this questions.

We want to move remove the proxy server from our network, and we are looking into using our current Check Point Solution to leverage some of the fucntionalities that are performed by our current proxy solution which is already EOL.

"As for Streaming Media Optimization, this is not something we do either."

Does Check Point intend to support it in the future? if not, could you perhaps give more information on why as you just did with the caching?

We really do not want to invest on another proxy solution and these are the only two points pending which we need more information than just saying Check Point does not support it.

Thanks once again

0 Kudos

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

Simply put. Check Point is not into the proxy business.

It requires different technologies and  a considereable amount of resources to do these things right.

So don't expect it to become part of a Check point firewall.

As I also do a lot with Blue Coat (now Symantec) proxies I have a good understanding of them and I my view it's not wise to combine these functions into a single device.

To be honest. I still prefer to do SSL intercept on the proxy and not on the firewall.

But in real life you will propably bypass SSL intercept for the traffic from the proxy and open up the rest so both the firewall and the proxy can do what they do best.

0 Kudos
Vladimir
Jade

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

If you must, use it as a reverse proxy.

For explicit forward proxy, you are better off using something purpose built.

Blue Coat (now Symantec ProxySG) is the premier player in this field.

Otherwise, you may very well deploy Squid, which will cost you nothing, but time and effort to familiarize yourself with it.

Check Point is great at inline inspection of the traffic, the proxy functionality in it is an afterthought.

0 Kudos

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

Hi Vladimir

I understand you thoughts. We currently have a financial constraint to get a brand new proxy server because the one we currently have is EOL and it is causing many problems. 

Thats why we are thinking of having Check Point taking over some of the functionalities that are currently performed by our Proxy Server until we get a budget for the new Proxy.

Any thoughts whether Check Point can cover up until the financial issue is resolved?

Thanks

0 Kudos
Vladimir
Jade

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

It sure can, with some caveats and no caching capabilities.

See How to configure Check Point Security Gateway as HTTP/HTTPS Proxy discussion.

You can use a single cluster interface for a dedicated proxy functionality.

I am just curious as to why would you use proxy at all, given that you have the ability of the inline inspection.

There are cases where it is mandated, or if you are trying to circumvent the limitations of AWS networking, or if you are using common SSL decryption appliance with daisy chained inspection by multiple security tools, but otherwise I'd simply avoid using proxy altogether relying on APPC/URLF with HTTPS inspection.

0 Kudos

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

Just another random question, Do I really have to configure the Securty Gateway as a Proxy, or I can just do a normal Hide NAT for internet access of our internal users.

What is the difference between both approaches.

Thanks in advance

0 Kudos
Vladimir
Jade

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

You do not have to configure a gateway as a proxy under most circumstances, the Hide NAT handles web access to the Internet.

The difference between Proxy and Hide NAT is described well enough here:

What is the difference between NAT and Proxy? What are the places we use these, and why? - Quora 

Caching is not really all that beneficial these days, as it was mostly used to conserve bandwidth when your connection to the Internet was limited and expensive.

Just make sure that your APPC/URLF is configured properly and restrict users' PCs to HTTP/HTTPS only for outbound access, unless other protocols are required for particular users or servers.

0 Kudos

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

When I read this, it sounds like a Symantec (Bluecoat) SG. I support a lot of proxy solutions for our customers.

Check Pointe has implemented  only basic reverse proxy functions. From my point of view you can use it for small environments. If you have a larger environment, use the reserve proxy or a proxy in WCCP mode.

0 Kudos

Re: Migrating the Functionality of a dedicated Proxy Server to Check Point

Currently no support for:

- TLS 1.3

- SNI

Only available with R80.30EA and above.

0 Kudos