This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Joe_Kanaszka
Advisor
yesterday
Jump to solution

Can the Check Point forward http/s traffic to a "peer proxy"?

Hey again guys!

 

Can the Check Point forward certain http/s requests to a peer proxy? 

We require traffic to certain http/s domains to be forwarded to our head office "peer proxy" in order for our users to access head office sites.  

Currently we use our in-line explicit proxy to forward this http traffic that matches  a "head office" list of domains to our peer proxy server at head office.  All the matching http/s traffic is forwarded to this other peer proxy over an existing S2S Check Point VPN (Check Point on both ends). 

Can we configure our Check Point to forward this pre-defined http/s traffic to this Head Office peer proxy so we can loose our local proxy entirely?

 

Thank you again!

0 Kudos
3 Solutions

Accepted Solutions
Timothy_Hall
MVP Gold
MVP Gold
6 hours ago
In response to Joe_Kanaszka
Jump to solution

Doesn't the new "Proxy Chaining" feature introduced in R82 do what you want?  See Section 5 of sk110013: How to configure Check Point Security Gateway as HTTP/HTTPS Proxy:

Starting from the version R82, you can configure Proxy Chaining on Security Gateways to forward outbound IPv4 HTTP/HTTPS traffic to an upstream proxy server based on URL patterns.

This enables a Security Gateway to support multi-layered proxy architectures for compliance, monitoring, or traffic routing purposes.

You configure the applicable proxy settings and rules on the Security Gateway in the "$FWDIR/conf/upstream_proxy_policy.txt" file.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course

View solution in original post

(1)
10 Replies
PhoneBoy
Admin
Admin
yesterday
Jump to solution

@Peter_Elmer created a video about this: https://community.checkpoint.com/t5/Security-Gateways/Hands-On-Quantum-Network-Firewall-as-Web-Proxy... 

0 Kudos
Wolfgang
MVP Gold
MVP Gold
yesterday
Jump to solution

@Joe_Kanaszka  I believe not what you want to do. Yes, Check Point gateway can run as proxy for your clients.

You mentioned:

"explicit proxy to forward this http traffic that matches  a "head office" list of domains to our peer proxy server at head office"

Sending a website with URL www.mycompany.com to proxy A and website with URL www.myowndomain.com to proxy B or the internet, this is'nt possible.

Beside of this and in my own experience, I would no more use the proxy feature of a Check Point gateway. It really slows down all connections going via proxy, Because all of these connections can't be accelerate by SecureXL.

sk92482 - Performance impact after enabling HTTP/HTTPS Proxy on Security Gateway 

Proxy feature all the time results in some memory leaks. Some authentications can't be passed through the proxy....

See sk110013 - How to configure Check Point Security Gateway as HTTP/HTTPS Proxy

I would really do a deep testing PoC beofre going in production. I prefer using a dedicated product for such a feature. (SQUID does everything for us)

(1)
Joe_Kanaszka
Advisor
6 hours ago
In response to Wolfgang
Jump to solution

Thank you Wolfgang!  

What you are describing sounds exactly like what we would like to do.

Just to clarify...

We would like all URLs that are meant for our Head Office to get forwarded to the peer Head Office Proxy A.

All other URLs NOT meant for Head Office we like to send to our own Proxy B and NOT be forwarded to any peer.

 

This is NOT possible correct?

 

Thank you again!

 

 

0 Kudos
Timothy_Hall
MVP Gold
MVP Gold
6 hours ago
In response to Joe_Kanaszka
Jump to solution

Doesn't the new "Proxy Chaining" feature introduced in R82 do what you want?  See Section 5 of sk110013: How to configure Check Point Security Gateway as HTTP/HTTPS Proxy:

Starting from the version R82, you can configure Proxy Chaining on Security Gateways to forward outbound IPv4 HTTP/HTTPS traffic to an upstream proxy server based on URL patterns.

This enables a Security Gateway to support multi-layered proxy architectures for compliance, monitoring, or traffic routing purposes.

You configure the applicable proxy settings and rules on the Security Gateway in the "$FWDIR/conf/upstream_proxy_policy.txt" file.

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices Video Course
Now Available at https://shadowpeak.com/gaia4-18-immersion-course
(1)
Joe_Kanaszka
Advisor
5 hours ago
In response to Timothy_Hall
Jump to solution

Good morning Timothy and thank you!

This is good to know as we'll be upgrading to R82 this summer.  

So to reiterate my question to Wolfgang above:

"Just to clarify...

We would like all URLs that are meant for our Head Office to get forwarded to the peer Head Office Proxy A.  These "Head Office" URLs are maintained in a static config file that resides on our proxy server.

All other URLs NOT meant for our Head Office we like to send to our own Proxy B and NOT be forwarded to any peer."

On top of this  "Proxy Chaining" feature, we would also require URL filtering to block company-deemed inappropriate sites.

 

Could we accomplish all this on R82?

 

 

Thank you again Timothy!

 

0 Kudos
Wolfgang
MVP Gold
MVP Gold
3 hours ago
In response to Joe_Kanaszka
Jump to solution

@Joe_Kanaszka with these new information this should work. URL-filter with proxy is no problem.

0 Kudos
Wolfgang
MVP Gold
MVP Gold
3 hours ago
In response to Timothy_Hall
Jump to solution

Thanks @Timothy_Hall . These are good and very interesting news, never heard about this new feature. Maybe the reliability of the proxy feature will be better with R82. I'll give it a chance in an upcoming project.

I believe regarding the performance problems nothing changed, because the traffic starts from gateway and this won't be accelerated?

0 Kudos
PhoneBoy
Admin
Admin
3 hours ago
In response to Wolfgang
Jump to solution

Correct, traffic originating from the gateway remains in slowpath.

the_rock
MVP Platinum
MVP Platinum
3 hours ago
In response to PhoneBoy
Jump to solution

@Joe_Kanaszka 

Excellent video by Tim Hall about what Phoneboy mentioned.

https://community.checkpoint.com/t5/General-Topics/Be-Your-Own-TAC-Part-Deux-EMEA-Advanced-Gateway-T...

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events