Create a Post
Showing results for 
Search instead for 
Did you mean: 

Replace out squid cluster with HTTP/HTTPS proxying on our Gateways?


We are today running a couple of squids as forwarding proxies for our internal servers.
So that they do not have direct access to the internetz. 

And now we are in the process of replace them with newer ones, then I read that you can enable HTTP/HTTPS proxy on our R80.

Do you have any experience to use it as an non-transparent proxy, like in our squid case?
It's only for logging and stop connections to bad actors on non http/https ports. I know it's a rather obsolete way beq all c&c and such is using https anyhow 🙂 


Regards Falk

0 Kudos
2 Replies

I would not suggest to use the CP GW Proxy Server instead of Squid & Co. as the limitations are severe, see

sk110013: How to configure Check Point Security Gateway as HTTP/HTTPS Proxy for details !

Main point apart from limitations: Check Point HTTP/HTTPS proxy is not a caching proxy (it does not cache commonly visited web pages to provide faster local access to hosts on the LAN).

0 Kudos


Hope you are doing fine, based on your use case you can totally do this on Check Point Firewalls. Personally I have done many migrations from Squid to CHKP.

A couple of advises:

  • Based on your use case you will need NGTP licensing to enforce Access rules, URL Filtering and Application control, Anti-Bot.
    • Stop connection to non http/https ports: Firewall blade - Access Policy
    • Enforce web browsing policies and quality of service (IE: No streaming for certain users, no pornography): URL Filtering & Application Control
    • Prevent high risk web browsing: URL Filtering & Application Control
    • Prevent C&C: Anti Bot.
  • You can deploy your gateway in Web Proxy mode (You have to setup proxy address in user's browsers) or directly by processing traffic. In my personal experience I had better enforcement results by only enabling URL Filtering / App control on the gateway and then routing traffic from the host through the gateway without setting anything on the browser.
  • Keep in mind that you cannot do load balance as reverse proxy, not as far as I know at least.

Hope it helps 🙂




Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events