Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Timothy_Hall
Champion
Champion

HTTPS Inspection Policy Rule Order

There have been several discussions about the proper rule order in the HTTPS Inspection Policy to maximize efficiency and avoid Active Streaming (CPASXL) as much as possible.  Would the following order be completely accurate?  My main question is whether the Services field in the final cleanup rule should be "Any" or "HTTPS Default Services"?  Obviously one should also avoid using "Any" in the Destination and Services field to make sure traffic is not inappropriately pulled into Active Streaming.

    1. Rules specifying an Action of "Bypass" that are matching only specific source and destination IP addresses/networks (no domains) with a Category of "Any"

    2. Rules bypassing sites known to not work with HTTPS Inspection via the Check Point-provided ‘HTTPS Services – bypass’ updatable object; see sk163595 for further explanation.

    3. Rules specifying an Action of "Bypass" that are matching specific source and destination IP addresses/networks (and/or domains) with a Category of "Any".

    4. Rules specifying an Action of "Bypass" that are matching specific source and destination IP addresses/networks (and/or domains) with specific Categories set.

    5. Rules specifying an Action of "Bypass" that are matching specific source and destination IP addresses/networks (and/or domains) with specific categories or a Category of "Any" set.

    6. Rules specifying Inspect actions.

    7. A "cleanup rule" consisting of "Any Any ‘HTTPS default services’ Any Bypass"

New 2021 IPS/AV/ABOT Self-Guided Video Series
now available at http://www.maxpowerfirewalls.com
2 Replies
the_rock
Authority
Authority

I will share my own personal experience with this...not sure if there is an "official" CP recommendation on how this should exactly look like, but I can say personally, and having spent many many hours with TAC on the phone troubleshooting https inspection issues, the order of the https inspection rules never seemed to make slightest difference. To add to that, even changing services to any also never changed the behavior either.

0 Kudos
_Alex_
Advisor

According to slide 10 of the TechTalk on HTTPS Inspection Best Practices, the default should be any/any with the services.

 

0 Kudos