Yes, I am going to upgrade it to T174 today and will test again, but just wanted to ask if its a known query or not in the meanwhile.

Apparently, upgradation has resolved the issue but I will test it for sometime. I would still love to know the root cause of this for my own learning, if possible. Moreover, is there any way to show a block page without enabling HTTPs inspection. As I am thinking of a substitute of Cisco Umbrella DNS security, so I am asking this in that context. Thank You.

https://community.checkpoint.com/t5/General-Topics/Check-Point-vs-Cisco-Umbrella/m-p/250374#M41852

"Categorize HTTPS Sites" has very limited capabilities in lieu of full HTTPS Inspection.  Filtering may not always be accurate as all it has to work with is the SNI prior to encryption.  There are many ways around this which explains why randomly some sites are blocked and others aren't, and unless you turn on full HTTPS Inspection UserChecks simply cannot work as the browser will block them as a downgrade redirection attack from HTTPS to HTTP.  This is proper behavior by the browser, and a classic attack vector even though we "the good guys" are trying to display a UserCheck.

Acknowledged.  Can you direct me to some benchmark or tradeoff regarding the CPU/RAM/memory comparison if I enable Https inspection as I am not sure how much it will impact the firewall performance interms of that

I dont believe there is any way to show block page without ssl inspection on. if you think about, in simple terms, without inspection enabled, there is nothing for firewall to intercept, if you will, so all users would see if message "page cant be displayed" or page is reset, something along those lines.

Andy

Yes, I understand. Its just this is what I have to work around somehow as I have to enable Https Inspection and install the certificate on every client as Cisco is currently doing that and its cisco secure client is already across whole environment.

If you enable https inspection, then it will work as intended, 100%.

Andy

Ack but the hinderance is the installation of certificate on all clients. 🙂

But I agree with you.

I get it. I would say GPO is probably answer to that 🙂

Andy

I do not have a lot of expertise on that, I would probably have to take other guys and management in loop 😛

Fair enough 🙂

See if post I made about this last year helps. Maybe you can test this on few machines and see if it works.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-tip/m-p/219139

Such a great read. Thanks 🙂

Hope it helps.

Btw, if you need me to test anything, happy to do it. Working on harmony sase stuff today, but I can definitely check this, not an issue. I have fully working R81.20 and R82 ssl inspection labs running.

Andy

That is great. I would definitely ping you, if I need your help. Thank you so much :). But yes, if you can guide me about the performance comparison with and without Https inspection, that would be great because what I have observed and read is checkpoint can do almost everything which cisco umbrella is doing (expect DNS server) in terms of security, the only hinderance in making up mind for further testing and proceeding with it is performance factor in terms of load and certificates.

Hi,
I could not test it before as I had to go back because of a family tragedy. . I came back yesterday and resumed testing in a slightly different scenario due to company restrictions on using a fully managed test machine. My current setup places the test machine behind the company’s main firewall, connected to an isolated test firewall environment via VPN. During initial testing, I used a self-signed dummy certificate for HTTPS inspection. First issue  I faced was, although I deleted that certificate from all known locations, I suspect it's still lingering somehow as I am unable to install a fresh certificate from gateway>https inspection, but can renew it with a new self signed one. I read about a tool that might help completely remove it, but I wanted to ask here first before proceeding.

 Based on my understanding, all external HTTPS sites should fail or show certificate warnings if the certificate is untrusted—but the behavior is inconsistent. For example, some sites like nayatel.com still open, while others don’t proceed past the security warning. When I blocked traffic, the UserCheck page does appear as expected but I was able to resolve this after enabling UserCheck on all interfaces ( thanks to your document 🙂 ), I now see that blocked sites get the firewall’s VPN certificate and show the block page properly, but other sites like Google are still receiving the self-signed certificate, leading to errors attached. I'm unsure if this is due to certificate caching, inspection misconfiguration, my lack of knowledge in this aspect or some remnant of the previous setup. Any suggestions or insights would be appreciated.
To summarize, Is there any way to delete the self-signed certificate? Should external websites work with self-signed (not valid certificate) after warning sign and should it show a block page with the same certificate (which It is showing now). I have attached some images as well.

First of all, sorry to hear about family tragedy, hope you are doing okay now?

Anyway, for inspection, make sure right categories are set to instact in ssl inspection policy and blocked in the right layer. I attached the doc, as well as something else I posted recenrly, hope it helps.

Andy

https://community.checkpoint.com/t5/General-Topics/https-inspection-tip-feedback-suggestion/m-p/2530...

By the way, I also encountered an issue recently with some random gambling sites, so had to make below attached adjustment to ssl inspection policy, but it all goes based on logs you see. Happy to do remote if needed.

Andy

Hi, 
I am trying to get back to my normal life. Thank you for asking.
The confusion I have is with self signed certificate, websites are not opening and giving me an error because of websites using HSTS as attached in the image, and some of the website do not give me this error and packets are accepted but website does not open. However, block page still works on websites which I have blocked. The confusion I have is this is caused because of self signed certificate for testing or something else.

Health ALWAYS comes FIRST, before anything, so please remember that.

As far as cert, see if post I made while back below helps. Just ensure any certs that need to be trusted are set up in trusted cert store in windows machine.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-tip/m-p/219139

Yes, I did that but the issue with some webistes likegoogle and youtube is related to HSTS which I am trying to figure out. Secondly, I made a rule with the same self signed certificate, It blocks websites like tubec.com etc but does not block Facebook (checkpoint's own managed application) although I blocked QUIC as well.
One more thing, have you ever tried to delete the self singed certificate from HTTPS inspection? it does not give any relevant option.

Make sure you are INSPECTING any category thats supposed to be blocked. What time zone are you in? Happy to do remote, as long as its not in EST work hours, of it it is, can do between 12-1 pm est.

Andy

The company policy does not allow me to do a remote. unfortunately 😞 but I will dig down a bit more to see and get back to you. 🙂 Thank you for discussing till now and helping out.

Of course, always happy to do my best to assist. Just make sure whatever certs need to be trusted are indeed trusted. I posted a screenshot from my lab.

Andy

@Zee  Would you mind send how blade settings are set in smart console? I mean for url filtering one.

Andy

I have reverified my configurations and they were like you did in your document. 🙂
These three are the confusions I have currently. 

Hi, I was trying to stress test HTTPS inspection on test lab via  Apache Jmeter. I used 500 user for https request on httpbin.org and CPU spiked from 15% on avg to 100%. Can you tell me what method did you use to test this feature before enabling it in production environment? I am currently using R81.20

What we always do with all our clients is tell them to get 2-3 machines or 5 (the most) and test ssl inspection that way for 2 weeks and if that works fine, then you move on to higher number. 

Andy