This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
_Val_
Admin
Admin
‎2025-10-27 06:24 AM

Software Blade effectiveness with and without HTTPS Inspection - sk184185

This new Secureknowledge article, sk184185, answers one very frequent question: Why do you want to enable HTTPS Inspection on your security GWs.

Here is what the SK says (quoting in full):

Without HTTPS Inspection, the Security Gateway can only inspect metadata such as domain names and TLS certificates. Most Threat Prevention blades cannot inspect encrypted payloads. With HTTPS Inspection enabled, the gateway decrypts traffic and allows full inspection by all blades.

Recommendation: Enable HTTPS Inspection for outbound traffic. Exclude sensitive domains such as banking sites or internal services to avoid privacy and performance issues.

Warning: HTTPS Inspection may impact performance and user privacy. Test in a lab environment before deployment.


Real-World Example

A user clicks a phishing link: example.com/login

  • Without HTTPS Inspection:
    • URL Filtering blocks known malicious domains.
    • Anti-Bot uses reputation and traffic patterns.
    • Encrypted payload bypasses AV/IPS.
  • With HTTPS Inspection:
    • Zero-Phishing analyses the page and injects browser protections.
    • AV/IPS inspect files and exploits inside the page.


Blade Behavior Comparison

Feature Without HTTPS Inspection With HTTPS Inspection Notes
IPS Minimal: TLS anomalies only Full payload inspection Requires decrypted content
Anti-Bot / C2 Detection DNS, traffic patterns, domain reputation Adds payload inspection for beaconing Detects hidden C2 patterns in HTTP POST/GET
Anti-Bot / Reputation IP/domain reputation, TLS cert anomalies No additional benefit Reputation is metadata-driven
Application Control Partial: SNI, IP ranges Full identification via payload Differentiates app functions (e.g., chat vs. video)
Application Control - UserCheck Not supported Supported via HTTP redirect Requires decryption
URL Filtering Domain-based filtering Granular filtering by path, parameters Blocking example.com/badpage requires decryption
URL Filtering - UserCheck Not supported Supported via HTTP redirect Requires decryption
Anti-Virus Limited on URL based filtering Scans files inside HTTPS Requires decrypted payload
Threat Emulation Not available Extracts files for sandboxing Requires decryption
Threat Extraction Not available Sanitizes active content Requires decryption
Zero-Phishing Limited SNI-based enforcement (R82.10) Full page analysis and JS injection In-browser protection requires HTTPS Inspection

 

(1)
2 Replies
the_rock
MVP Platinum
MVP Platinum
‎2025-10-27 09:47 AM

Thats super helpful.

Best,
Andy
0 Kudos
Lesley
MVP Gold
MVP Gold
‎2025-10-27 11:05 AM

Good to throw this into discussion with customers. 

There should be no reason NOT to enable https inspection. 

Yes it takes time to configure and yes sometimes it can give issues (like any other additional feature) 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events