Great information!
I have two qustions:
1) Can anyone confirm is the following feature is included in the new engine of SSL Inspection in R80.30? R80.30 doesn't need the probe bypass feature since it checks de Client Hello and the certificate. Also, it works with Categorize HTTPS without SSL Inspection and without turning on the kernel parameters? I'll try to check this later in a lab enviroment.
"Using this field, rather than relying on the CN of the certificate, gives more specific and accurate information about the requested site. The recently released hotfix for Check Point R80.10 gateways does change this behavior and utilize the SNI extension for categorization. Once installed, the feature can be enabled with the following command: fw ctl set int urlf_use_sni_for_categorization 1 This hotfix also allows a further check to make sure that the SNI requested by the client matches one of the SAN entries on the certificate. To enable this feature, use this command: fw ctl set int urlf_block_unauthorized_sni 1"
2) Is there any benefit in having "Categorize HTTPS sites" AND Outbound SSL Inspection? There are many posts that state that they are mutually exclusive, but in R80.20+ you can have both turned on. So far in my testing I could not see any benefits. Maybe it doesn't inspect all the https traffic?
Thanks!
Federico Meiners
