This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maarten_Sjouw
Champion
Champion
‎2018-12-19 06:50 AM

Proxy and SecureXL

Is there any way that SecureXL Medium path can be used when the GW is used as a proxy?

We have a customer that has a 15600 and they have asked us to setup a proxy for several reasons. Now they are migrating to Office365 and I see a lot of traffic hitting the FW path, some traffic hitting the medium path and none hitting the fast path.

As Proxy traffic needs to be handled by the gateway itself, I would not expect this to be able to accelerated, so my thoughts were to ask the customer to exclude the Office 365 URL's from the PAC file, so they will not use the proxy, thus allowing this traffic to be accelerated.

They also have WiFi networks that do not need to use the proxy and we see 200/600Mbps in traffic in PXL/FW paths. We have 12 cores for the FW-Workers but are all at or close to 100% at the busy moments.

Regards, Maarten
0 Kudos
3 Replies
Timothy_Hall
Legend Legend
Legend
‎2018-12-19 07:47 AM

In R80.10 gateway and earlier I'm pretty sure the answer is no.  This might be handled differently in R80.20 gateway however due to the wholesale changes in SecureXL, but I doubt it.  See:

sk92482 - Performance impact from enabling HTTP/HTTPS Proxy functionality

Also if you are inspecting Office 365 traffic, you probably have HTTPS Inspection enabled which will force F2F handling for all traffic subject to it anyway on R80.10 gateway regardless of whether proxy mode is used or not.

--
Second Edition of my "Max Power" Firewall Book
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos
Maarten_Sjouw
Champion
Champion
‎2018-12-20 12:54 AM
In response to Timothy_Hall

We are running R77.30 for this customer.

In Proxy environment you do not need to enable the HTTPS inspection separately as the traffic is unpacked anyway.

But in this case we really need to have this traffic in bypass-the-proxy-mode to move it into the PXL path. So we have asked the customer to adjust the proxy pac file, so we can add a small policy to allow this traffic to pass and be moved to PXL path.

Regards, Maarten
0 Kudos
_Val_
Admin
Admin
‎2018-12-20 02:47 AM
In response to Timothy_Hall

Correct, the answer is NO

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events