This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Timothy_Hall
Legend Legend
Legend
‎2021-09-02 06:48 PM

HTTPS Inspection Policy Rule Order

There have been several discussions about the proper rule order in the HTTPS Inspection Policy to maximize efficiency and avoid Active Streaming (CPASXL) as much as possible.  Would the following order be completely accurate?  My main question is whether the Services field in the final cleanup rule should be "Any" or "HTTPS Default Services"?  Obviously one should also avoid using "Any" in the Destination and Services field to make sure traffic is not inappropriately pulled into Active Streaming.

    1. Rules specifying an Action of "Bypass" that are matching only specific source and destination IP addresses/networks (no domains) with a Category of "Any"

    2. Rules bypassing sites known to not work with HTTPS Inspection via the Check Point-provided ‘HTTPS Services – bypass’ updatable object; see sk163595 for further explanation.

    3. Rules specifying an Action of "Bypass" that are matching specific source and destination IP addresses/networks (and/or domains) with a Category of "Any".

    4. Rules specifying an Action of "Bypass" that are matching specific source and destination IP addresses/networks (and/or domains) with specific Categories set.

    5. Rules specifying an Action of "Bypass" that are matching specific source and destination IP addresses/networks (and/or domains) with specific categories or a Category of "Any" set.

    6. Rules specifying Inspect actions.

    7. A "cleanup rule" consisting of "Any Any ‘HTTPS default services’ Any Bypass"

Gaia 4.18 (R82) Immersion Tips, Tricks, & Best Practices
Self-Guided Video Series Coming Soon
2 Replies
the_rock
Legend
Legend
‎2021-09-02 07:19 PM

I will share my own personal experience with this...not sure if there is an "official" CP recommendation on how this should exactly look like, but I can say personally, and having spent many many hours with TAC on the phone troubleshooting https inspection issues, the order of the https inspection rules never seemed to make slightest difference. To add to that, even changing services to any also never changed the behavior either.

0 Kudos
Alex-
Leader Leader
Leader
‎2021-09-03 03:38 AM

According to slide 10 of the TechTalk on HTTPS Inspection Best Practices, the default should be any/any with the services.

 

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events