We have R80.40 installation (SMS + GW Cluster), which was migrated from R77.30.
This GW cluster is set up as explicit proxy for some clients.
We have 2 ordered layers: Security and Application.
On both layers we have a rule that allow traffic from client hosts to GW cluster via ports 8080 and 3128 (HTTP &HTTPS proxy and Squid_NTLM).
On Application layer we have rules that allow traffic from client hosts to Intetrnet with specified URLs and applications.
Everything was fine on version R77.30, but after migration we have an issue:
Traffic received by Checkpoint proxy is forwarded to Internet without enforcing URL filtering policy.
I can see in logs 2 different events:
1) Traffic from client host to Checkpoint proxy (port 3128 and 8080) is accepted by correct rules on Security and Application layer (event type Firewall)
2) Traffic from GW to external web resource is accepted on Security layer with Implied rule 0 and no checks on Application layer is performed.
I've tried to disable in Global policy "Accept outgoing packets originating from security gateway" parameter and create separate explicit rule to allow GW cluster to communicate with "Any" destinations.
I've checked according to sk112939 "Enable HTTP inspection on non standard ports for the Application Control & URL Filtering Blades" - we have it turned on, but it's not helping.
I've checked Implicit cleanup settings on Security and Application layers - both are set to "Drop".
I've checked Implicit rules in $FWDIR/state/local/FW1/local.implied_rules - there is no rule with ID 0.
I've rebooted SMS and reinstalled the policy - no effect.
Please, can anyone tell me why we are getting this implied rule here? How can we enforce URL filtering policy on proxied traffic again?