This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Nenad_D
Participant
‎2023-03-09 03:52 AM
Jump to solution

HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy

Hello community,

 

I would like to know whether there is a way to configure HTTPS Inspection Bypass for a certain domain (e.g. google.com) when using Security Gateway (in our case a virtual system / VSX environment) as HTTPS Proxy (non-transparent)!?

When configuring a bypass rule in HTTPS Inspection Policy with Security Gateway / Virtual System as Destination then it works, but then all relevant traffic will bypass HTTPS Inspection (for traffic from client to Security Gateway / HTTPS Proxy) and that's not desired configuration.

 

R81.10 JHF Take 79 is installed on the Security Gateways and Management Server.

 

Thanks in advance for your help!

Best Regards

Nenad

0 Kudos
1 Solution

Accepted Solutions
PhoneBoy
Admin
Admin
‎2023-03-10 04:15 PM
Jump to solution

HTTPS Inspection always sees the gateway as the destination when non-transparent proxy mode is used.
As such, the HTTPS Inspection policy will never match another destination.
This is expected behavior.
https://support.checkpoint.com/results/sk/sk108706

View solution in original post

10 Replies
the_rock
MVP Diamond
MVP Diamond
‎2023-03-09 05:53 AM
Jump to solution

I remember testing this back in R77 versions, but not in R80+, so trying to remember how I made it work. I know I had to make some modifications on the gateway settings in smart console...can you send a screenshot of how https proxy tab is configured on gateway object?

Cheers,

Andy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Nenad_D
Participant
‎2023-03-09 06:23 AM
In response to the_rock
Jump to solution

Hi Andy,

here a screenshot of the HTTP Proxy tab on the Security Gateway / Virtual System object:

2023-03-09 15_18_40-Admin_Desktop_DELIN ITMGMT Server - Desktop Viewer.png

Thanks in advance for your help!

Best Regards

Nenad

the_rock
MVP Diamond
MVP Diamond
‎2023-03-09 07:03 AM
In response to Nenad_D
Jump to solution

No problem, thank you. I will have to check and see if I had to modify the actual ports at the bottom, so give me some time. Apologies, this was probably more than 7 years ago, so will need to see if I still have details on how I did this.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-03-09 10:32 AM
In response to Nenad_D
Jump to solution

Ok, just made it work by modifying below:

Screenshot_1.png

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Nenad_D
Participant
‎2023-03-10 12:38 AM
In response to the_rock
Jump to solution

Hi Andy,

thanks very much for sharing the information.

But I think I didn't get it how that will help to configure certain HTTPS Inspection Bypass rules when using the proxy.
Anything else I need to configure?
Could you please explain?

Thanks in advance!

Best Regards

Nenad

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-03-10 04:18 AM
In response to Nenad_D
Jump to solution

From notes I have, that was the only change I had to make on CP side. Can you send a screenshot of bypass rule(s)?

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Nenad_D
Participant
‎2023-03-10 07:21 AM
In response to the_rock
Jump to solution

Hi Andy,

a common bypass rule looks like the following:

2023-03-10 16_15_14-Admin_Desktop_DELIN ITMGMT Server - Desktop Viewer.png2023-03-10 16_16_33-Admin_Desktop_DELIN ITMGMT Server - Desktop Viewer.png

I will check whether it works with proxy settings you mentioned.

Thanks!

Best Regards
Nenad

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-03-10 07:24 AM
In response to Nenad_D
Jump to solution

Sounds good, yea, bypass rule looks right to me. If it still does not work, I will dig further and see if there was anything else I had to change.

ANdy

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
PhoneBoy
Admin
Admin
‎2023-03-10 04:15 PM
Jump to solution

HTTPS Inspection always sees the gateway as the destination when non-transparent proxy mode is used.
As such, the HTTPS Inspection policy will never match another destination.
This is expected behavior.
https://support.checkpoint.com/results/sk/sk108706

the_rock
MVP Diamond
MVP Diamond
‎2023-03-10 06:55 PM
In response to PhoneBoy
Jump to solution

Interesting...I tested this today in my R81.20 lab and when gateway is configured as non-transparent proxy, the https bypass rules worked just fine.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events