Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
xiro
Contributor

HTTPS Inspection - Performace issues at first page request / VSX

Hi, 

we have a VSX implementation with 5 different VS, and for one of them we just enabled HTTPS-Inspection.

Unfortunately the users are complaining constantly about performance & sites that are not working properly. We have bypassed already dozens of sites, (even low/very low category), but it won't get better.

Besides sites that mitigate Inspection by design (banking), one main issue is that the first access to a page is extremely slow (e.g. apple.com). Afterwards, all other requests work fine. In older versions we had similar issues that we could fix with mechanisms like "probe bypass". But our VSX is running on 81.10, therefore probe bypass should be irrelevant (since 80.30).

The Site Categorization mode is set to "Hold", but despite changing it to "Background" (installing DB, installing VS-policy, installing VS0-policy), the changes are not having any effect on the behavior. Fail Mode is "fail-open".

 The GWs are bored to death (10% CPU load during business hours).

 

Any ideas what else we could check or try to improve the user experience?

 

0 Kudos
7 Replies
Chris_Atkinson
Employee Employee
Employee

Some questions for context:

Have you checked if the trusted CA list is up to date?

Check Internet access works for CRL checks?

How is the HTTPS inspection policy structured?

Which JHF is the cluster currently installed with?

CCSM R77/R80/ELITE
0 Kudos
xiro
Contributor

- Yes, CAs are fine

- Internet access works properly, but we get CRL detect messages in the logs (details below)

- Policy is simple with a few rules: Bypass by source, destination, URL/Category, "CP-recommended services" and afterwards an "inspect any"

- R81.10 T55

 

Regarding CRL: We saw constant detects, mainly to Microsoft services and I tried to trace that down. 

I believe that this issue is because of an error in the certificate of MS itself -> the CRL link seems to contain a space at the end, therefore CP fails to access it: 

1.png

2.png3.png

This is the issue that occurs constantly, since the service seems to be accessed by Windows constantly. Otherwise there are only a few logs due to expired certs or similar.

 

 

0 Kudos
PhoneBoy
Admin
Admin

Since we check the certificate as part of HTTPS Inspection (including the CRL), perhaps the issues with this are creating the delays?
I know you can disable CRL checking in HTTPS Inspection, which isn't necessarily recommended.

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Regarding the HTTPS Inspection policy structure the following may be helpful for you:

https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Setup/m-p/127750/highlight/true#M278...

CCSM R77/R80/ELITE
0 Kudos
_Val_
Admin
Admin

I would suggest checking internet connectivity from the VSX cluster, including VS0. Check that DNS is working, and connections from your VSX GWs to Internet are not blocked. 

0 Kudos
xiro
Contributor

the vsx is connected directly to the internet (nothing in between), all connections and checks are fine...

0 Kudos
_Val_
Admin
Admin

Then, if you cannot find any obvious issue, please take it with TAC.

According to your description, it sounds like a connectivity issue causing a delay with certificate validation, but it might be also something else. Aks support to look into this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events