Create a Post
Showing results for 
Search instead for 
Did you mean: 

Do i need Proxy Rule above the Stealth rules?

I have my GW configured as a proxy on port 8080,

if I leave the inline rules of InternalZone CP_GW Http_https_Proxy accept, below rule any CP_GW any any drop, I can not use the internet, of course, because Stealth rule comes before, but did not want have inumerable internet filter rules, above Stealth rule. By default the checkpoint does not understand that if it is a proxy the requests to it should be implicit?

0 Kudos
1 Reply

You need a rule above the Stealth rule to allow access to the IP (separate object with the IP of the interface that you assigned to the Proxy function. Before you set the proxy function and the interface with the port number it will not accept any connection. on that port.

You will also need a rule to allow the gateway to the internet, this to allow the gateway to do your http(s) requests for you.

Do keep in mind that all the internet traffic will NOT be accellerated as it is all traffic to or from the gateway itself and is therefore not possible to be accelerated. This means that when you did the sizing of the gateway and did not keep this in mind, you will probably run into performance problems when you have a full load on the gateway.


We have a 13500 cluster with 800Mb internet connection, which was running proxy and during busy hours we saw 40/60 partial/non accelerated traffic with a average load of 90%

Since a few weeks most traffic is now not using explicit proxy anymore (pass-through) and we see 70/30 since then and a average load of 55%

Bottom-line, if you can avoid using explicit proxy, please do that.

Regards, Maarten
0 Kudos