Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Ivory

Proxy settings

Hi,

Using R77.30

I'm getting the following log entry when attempting to access a website using https that's been allowed in the policy:

 

"Proxy: Internal error; Connection was rejected due to internal error"

 

The firewall cluster is set up to use the gateway as a HTTP/HTTPS Proxy in Non Transparent mode

Specific interfaces - inlcudes the LAN interface

 

Ports 8081 and 8080

 

Does anything need to be set on the client side to bypass the proxy, or any other changes required on the firewall?

Many thanks for any advice on this.

 

0 Kudos
6 Replies
Highlighted
Admin
Admin

Can you access the same URL via a different connection?
Is the Security Gateway able to resolve the DNS query for the same URL?
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
Highlighted
Ivory

Hi PhoneBoy,

 

Thank you for your response, yes the URL can be accessed outside of our organisation on non LAN internet connection.

 

Unfortunately I don't have access to any Checkpoint support therefore the link doesn't really help.

 

Kind regards

XC

 

0 Kudos
Highlighted
Admin
Admin

Can you log onto the gateway and see if it is able to look up the DNS name?
That is suggested by the link I provided.
0 Kudos
Highlighted
Ivory

Hi, 

thanks, I logged on and no it doesn't look up the DNS name.

 

Cap3.JPG

The top lookup doesn't work but the bottom one does.

These are two different addresses hosted in AWS, the top one is a new site that needs to be accessed by users, the bottom one is the original one.

Rgds

XC

0 Kudos
Highlighted

Why are you using the Gateway as a proxy? This has a huge impact on the load of your gateways, secureXL (accelleration) is completely bypassed.
The firewall needs to allow traffic from the clients to its interface on the ports 8080 and 8081 and from the gateways you need to allow all traffic to port 80 and 443 (and any other port that needs to be allowed).
In your application/urlf policy all destinations need to be empty.
Regards, Maarten
0 Kudos
Highlighted
Ivory

Hi Maarten,

 

thank you for your input, this is how I inherited the system, I'm not overly familiar with Checkpoints having primarily worked with Cisco and Juniper previously.

 

The Application/URL filtering blade is allowing the traffic using a catch all rule at the bottom of the policy:

 

 
 

Cap1.JPGCap2.JPG

 

Thanks.

XC

0 Kudos