Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Falk
Explorer

Replace out squid cluster with HTTP/HTTPS proxying on our Gateways?

Hi,

We are today running a couple of squids as forwarding proxies for our internal servers.
So that they do not have direct access to the internetz. 

And now we are in the process of replace them with newer ones, then I read that you can enable HTTP/HTTPS proxy on our R80.

Do you have any experience to use it as an non-transparent proxy, like in our squid case?
It's only for logging and stop connections to bad actors on non http/https ports. I know it's a rather obsolete way beq all c&c and such is using https anyhow 🙂 

Thougts?

--
Regards Falk

0 Kudos
2 Replies
G_W_Albrecht
Legend Legend
Legend

I would not suggest to use the CP GW Proxy Server instead of Squid & Co. as the limitations are severe, see

sk110013: How to configure Check Point Security Gateway as HTTP/HTTPS Proxy for details !

Main point apart from limitations: Check Point HTTP/HTTPS proxy is not a caching proxy (it does not cache commonly visited web pages to provide faster local access to hosts on the LAN).

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
FedericoMeiners
Advisor

@Falk 

Hope you are doing fine, based on your use case you can totally do this on Check Point Firewalls. Personally I have done many migrations from Squid to CHKP.

A couple of advises:

  • Based on your use case you will need NGTP licensing to enforce Access rules, URL Filtering and Application control, Anti-Bot.
    • Stop connection to non http/https ports: Firewall blade - Access Policy
    • Enforce web browsing policies and quality of service (IE: No streaming for certain users, no pornography): URL Filtering & Application Control
    • Prevent high risk web browsing: URL Filtering & Application Control
    • Prevent C&C: Anti Bot.
  • You can deploy your gateway in Web Proxy mode (You have to setup proxy address in user's browsers) or directly by processing traffic. In my personal experience I had better enforcement results by only enabling URL Filtering / App control on the gateway and then routing traffic from the host through the gateway without setting anything on the browser.
  • Keep in mind that you cannot do load balance as reverse proxy, not as far as I know at least.

Hope it helps 🙂

 

____________
https://www.linkedin.com/in/federicomeiners/

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events