This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Falk
Explorer
‎2019-09-23 02:04 AM

Replace out squid cluster with HTTP/HTTPS proxying on our Gateways?

Hi,

We are today running a couple of squids as forwarding proxies for our internal servers.
So that they do not have direct access to the internetz. 

And now we are in the process of replace them with newer ones, then I read that you can enable HTTP/HTTPS proxy on our R80.

Do you have any experience to use it as an non-transparent proxy, like in our squid case?
It's only for logging and stop connections to bad actors on non http/https ports. I know it's a rather obsolete way beq all c&c and such is using https anyhow 🙂 

Thougts?

--
Regards Falk

0 Kudos
2 Replies
G_W_Albrecht
Legend Legend
Legend
‎2019-09-23 03:20 AM

I would not suggest to use the CP GW Proxy Server instead of Squid & Co. as the limitations are severe, see

sk110013: How to configure Check Point Security Gateway as HTTP/HTTPS Proxy for details !

Main point apart from limitations: Check Point HTTP/HTTPS proxy is not a caching proxy (it does not cache commonly visited web pages to provide faster local access to hosts on the LAN).

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
FedericoMeiners
Advisor
‎2019-09-23 08:31 AM

@Falk 

Hope you are doing fine, based on your use case you can totally do this on Check Point Firewalls. Personally I have done many migrations from Squid to CHKP.

A couple of advises:

  • Based on your use case you will need NGTP licensing to enforce Access rules, URL Filtering and Application control, Anti-Bot.
    • Stop connection to non http/https ports: Firewall blade - Access Policy
    • Enforce web browsing policies and quality of service (IE: No streaming for certain users, no pornography): URL Filtering & Application Control
    • Prevent high risk web browsing: URL Filtering & Application Control
    • Prevent C&C: Anti Bot.
  • You can deploy your gateway in Web Proxy mode (You have to setup proxy address in user's browsers) or directly by processing traffic. In my personal experience I had better enforcement results by only enabling URL Filtering / App control on the gateway and then routing traffic from the host through the gateway without setting anything on the browser.
  • Keep in mind that you cannot do load balance as reverse proxy, not as far as I know at least.

Hope it helps 🙂

 

____________
https://www.linkedin.com/in/federicomeiners/

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top