Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
StevePearson
Participant

HTTPS Bypass

I'm currently trying to clean up a policy that's been in place for several years. It was build under R80.20 and has a huge number of rules on the HTTPS policy, most of which are bypass rules. There are several that bypass based on destination IP, things like web based license servers (eg  Autodesk), but the majority bypass based on custom applications that contain a list of url's (things like webex, dropbox and even AWS). Whilst I'm aware that this is probably the best way to do it, I'm wondering if all of these are needed now that it's all R81.20, which handles HTTPS inspection much better than R80.20 used to.

Has anyone got any thoughts or advice on this at all? I'm thinking about possibly removing a fair amount of these and monitor/re-add them if necessary later.

Thanks in advance!

 

0 Kudos
7 Replies
the_rock
Legend
Legend

I know its been brought up many times, but me personally, I always put bypass rules first, then any any inspect at the bottom, but people suggest doing any any bypass at the bottom.

Either way, you should disable rules not needed, so if you need them later, easy to re-enable.

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Built-in objects as outlined in sk163595 may be helpful here.

Pay good attention to the policy structure to avoid common pit falls:

https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Policy-Rule-Order/td-p/128681#M27952

https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Policy-Rule-Order/td-p/128681#M27952

Further enhancements are expected with R82+ to help manage the journey that is HTTPs inspection

CCSM R77/R80/ELITE
the_rock
Legend
Legend

You used the right term...journey haha, so true : - )

0 Kudos
PhoneBoy
Admin
Admin

In R81.20, you can leverage other types of objects in your HTTPS Inspection Policy (Updatable Objects in particular).
It should help you clean up the policy after upgrading, but it should not cause any issues when you upgrade.

the_rock
Legend
Legend

One of my favorite features in R81.20!

0 Kudos
StevePearson
Participant

One of the issues with HTTPS inspection in R80.20 was the poor support around SNI I believe, which I also believe was much improved from R81, so this is what I'm hoping will make a lot of the existing rules obsolete now!

However, I will also look at making use of the Updatable objects too as they look as if they will remove a fair few of the existing rules.

0 Kudos
the_rock
Legend
Legend

I strongly recommend R81.20, as https inspection performs so much better.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events