This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help
Timothy_Hall
Champion
Champion
‎2021-09-02 06:48 PM

HTTPS Inspection Policy Rule Order

There have been several discussions about the proper rule order in the HTTPS Inspection Policy to maximize efficiency and avoid Active Streaming (CPASXL) as much as possible.  Would the following order be completely accurate?  My main question is whether the Services field in the final cleanup rule should be "Any" or "HTTPS Default Services"?  Obviously one should also avoid using "Any" in the Destination and Services field to make sure traffic is not inappropriately pulled into Active Streaming.

    1. Rules specifying an Action of "Bypass" that are matching only specific source and destination IP addresses/networks (no domains) with a Category of "Any"

    2. Rules bypassing sites known to not work with HTTPS Inspection via the Check Point-provided ‘HTTPS Services – bypass’ updatable object; see sk163595 for further explanation.

    3. Rules specifying an Action of "Bypass" that are matching specific source and destination IP addresses/networks (and/or domains) with a Category of "Any".

    4. Rules specifying an Action of "Bypass" that are matching specific source and destination IP addresses/networks (and/or domains) with specific Categories set.

    5. Rules specifying an Action of "Bypass" that are matching specific source and destination IP addresses/networks (and/or domains) with specific categories or a Category of "Any" set.

    6. Rules specifying Inspect actions.

    7. A "cleanup rule" consisting of "Any Any ‘HTTPS default services’ Any Bypass"

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
2 Replies
the_rock
Champion
Champion
‎2021-09-02 07:19 PM

I will share my own personal experience with this...not sure if there is an "official" CP recommendation on how this should exactly look like, but I can say personally, and having spent many many hours with TAC on the phone troubleshooting https inspection issues, the order of the https inspection rules never seemed to make slightest difference. To add to that, even changing services to any also never changed the behavior either.

0 Kudos
Alex-
Advisor
‎2021-09-03 03:38 AM

According to slide 10 of the TechTalk on HTTPS Inspection Best Practices, the default should be any/any with the services.

 

0 Kudos