Create a Post
Showing results for 
Search instead for 
Did you mean: 

R80.x - Performance Tuning Tip - SNI vs. https inspection

R80.20+ with enabled HTTPS inspection

If the https inspection is enabled, the parameter host from http header can be used for the url because the traffic is analyzed by active streaming. Check Point Active Streaming (CPAS) allow the changing of data, we play the role of “man in the middle”. CPAS breaks the connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.). An application is register to CPAS when a connection start and supply callbacks for event handler and read handler. Several protocols uses CPAS, for example: HTTPS or also VoIP (SIP, Skinny/SCCP, H.323, etc.), Security Servers processes, etc. CPAS breaks the HTTPS connection into two parts using our own stack – this mean, we are responsible for all the stack work (dealing with options, retransmissions, timers etc.) 

More read here: R80.x Security Gateway Architecture (Content Inspection) 

Tip 1 - Enable https inspection on the gateway for R80.30

> Gateway & Service > [Gateway] > HTTPS Inspection


> Now creat https rules and configure all blades

R80.20+ without enabled HTTPS inspection (use SNI)

If the https inspection is bypassed by https inspection rule, SNI is used to recognize the virtual URL for application control and url filtering.

SNI is investigated during TLS Handshake it inspect the ‘Client Hello’ SNI field and
the server name in ‘Server Hello’. The subject field content is compared with the server name. If subject contains a Wildcard the content of subject alt name field is inspected: A valid certificate would include the server name here.

For more informations  about URL Filtering see sk92743.
More read here: URL Filtering using SNI for HTTPS websites.pdf 

Tip 2 - Enable SNI without https inspection in R80.30 for “Application Control & URL Filtering Settings”

> Gateway & Service > [Gateway] > HTTPS Inspection

> Creat HTTPS bypass rule
> Management & Settings > Blades > Application Control > Advanced Settings


Tip 3 - Performance view SNI vs. HTTPS inspection

From a performance view, it is more effective to use the SNI function if you only use URL filtering and application control.


More interesting articles:
- R80.x Architecture and Performance Tuning - Link Collection
- Article list (Heiko Ankenbrand)

4 Replies

Hi, one error here: in R80.30x , HTTPS Inspection must be enabled for SNI Verification to take place.
I believe you can leave a bypass rule as the only rule and it should still work.
Believe this limitation will be removed in R80.40.

Yes, you're right. 👍

I have already written it for R80.40 EA. I have now changed it to R80.30.

R80.40 settings follow if it is GA:-)



It works as described in this article.


for Tip2...

you can enable bypass also via cli:
fw ctl set int bypass_on_enhanced_ssl_inspection 1