I am not sure position 7 is recommended. Regardless of whether you are doing the inbound or outbound inspection, the cleanup rule as described will cause ALL HTTPS connections to be tagged by wstlsd daemon, and this might cause memory and performance issues. 

This point was widely debated both internally and outside of Check Point, and my personal understanding is, that it is best to limit the explicit cleanup rule to other than ANY for destination and potentially source as well.

For example, if you are doing outbound inspection only, and only for your internal networks, you can use <Internal NETS> - <Internet>-<HTTPS>-BYPASS. That would significantly reduce work for wstlsd with tagging anything HTTPS crossing your GW.

That makes sense - thanks - will update my post!

I think a year ago we had a TAC case because of some problems with HTTPS inspection and they confirmed the any/any-bypass rule to be good. Maybe a SK with such a Rulebase Order would be a great idea 😉

As I said, there is a long discussion. For small and medium-sized environments, any-any can be okay. However, we have indications from actual field deployments with lots of HTTPS traffic, that under certain conditions any-any can lead to excessive and unnecessary tagging, hence my note. 

Just to clarify, it is quite hard to define a single size fits all best practices guidance in security. For example, having a stealth rule up in your policy is considered a best practice, but it also causes breakage of acceleration templates and may lead to severe performance degradation, depending on that rule position and amount of traffic crossing your security GW. 

I myself was recommending the any-any-bypass HTTPSi rule for years. I do not do that anymore, as I have seen the cases when this practice is no longer considered "the best".

In the case of our client, we only carry out exit inspection for its internal networks. However, we see that it is inspecting internal traffic, and is generating alerts. This is appearing to affect consumer services.

Do you want to inspect internal HTTPS Traffic or only external Traffic? Please share your rulebase if possible. Also note that the gateway itself has to reach the destination in order to validate the certificate etc. Maybe that's missing?

I only want to inspect external traffic. In R80.10 we dont have this issue, and in R81.10 with the same rules we are getting that alert and I think is inspection internal traffic. 

So, we have a specific rule with OCSP service to validate the certificates. 

Due to the problems of HTTPS Inspection we did a bypass to Internet, because we getting slowness in all network. We dont have inspect to Interntal traffic, and it's the strange why we are getting an alert between internal traffic. 

Show us the rule that says Inspect, and also the bypass rule at the bottom

In this moment we have all rules inspect disabled. 

As you see the most rules are in bypass and the inspect rules are disabled due to the fact that  we have slowness in all networks. 

Maybe the "Internet" object is broken or not correctly defined. Have you tried to work with negating a group with all RFC1918 networks? Here are some thoughts about different options: Properly defining the Internet within a security p... - Check Point CheckMates

The Internet object is predefined for Check Point in SmartConsole, it can be used only in App Control or URL Filtering and in HTTPs Inspection. For another rules I use a negate group with RFC1918 networks. But I am going to test. 

Yes, I know but the Internet object is calculated based on the Gateways topology. If for any reason your internal networks are declared as external or DMZ you can have exactly this problem.

And this is the configuration in HTTPs Ispection

Only 443 should be on the ports to be inspected? We also have bypass rules for specific networks but many times this fails.

Additionally, would a CoreXL configuration be needed? We are working with 15600 equipment and in version R80.10 we did not have the problems with Inpection.