This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
xiro
Contributor
‎2022-11-28 04:53 AM

HTTPS Inspection - Performace issues at first page request / VSX

Hi, 

we have a VSX implementation with 5 different VS, and for one of them we just enabled HTTPS-Inspection.

Unfortunately the users are complaining constantly about performance & sites that are not working properly. We have bypassed already dozens of sites, (even low/very low category), but it won't get better.

Besides sites that mitigate Inspection by design (banking), one main issue is that the first access to a page is extremely slow (e.g. apple.com). Afterwards, all other requests work fine. In older versions we had similar issues that we could fix with mechanisms like "probe bypass". But our VSX is running on 81.10, therefore probe bypass should be irrelevant (since 80.30).

The Site Categorization mode is set to "Hold", but despite changing it to "Background" (installing DB, installing VS-policy, installing VS0-policy), the changes are not having any effect on the behavior. Fail Mode is "fail-open".

 The GWs are bored to death (10% CPU load during business hours).

 

Any ideas what else we could check or try to improve the user experience?

 

0 Kudos
7 Replies
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-11-28 05:24 AM

Some questions for context:

Have you checked if the trusted CA list is up to date?

Check Internet access works for CRL checks?

How is the HTTPS inspection policy structured?

Which JHF is the cluster currently installed with?

CCSM R77/R80/ELITE
0 Kudos
xiro
Contributor
‎2022-11-28 08:31 AM
In response to Chris_Atkinson

- Yes, CAs are fine

- Internet access works properly, but we get CRL detect messages in the logs (details below)

- Policy is simple with a few rules: Bypass by source, destination, URL/Category, "CP-recommended services" and afterwards an "inspect any"

- R81.10 T55

 

Regarding CRL: We saw constant detects, mainly to Microsoft services and I tried to trace that down. 

I believe that this issue is because of an error in the certificate of MS itself -> the CRL link seems to contain a space at the end, therefore CP fails to access it: 

1.png

2.png3.png

This is the issue that occurs constantly, since the service seems to be accessed by Windows constantly. Otherwise there are only a few logs due to expired certs or similar.

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2022-11-28 05:12 PM
In response to xiro

Since we check the certificate as part of HTTPS Inspection (including the CRL), perhaps the issues with this are creating the delays?
I know you can disable CRL checking in HTTPS Inspection, which isn't necessarily recommended.

0 Kudos
Chris_Atkinson
MVP Platinum CHKP MVP Platinum CHKP
MVP Platinum CHKP
‎2022-11-29 01:44 AM
In response to xiro

Regarding the HTTPS Inspection policy structure the following may be helpful for you:

https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Setup/m-p/127750/highlight/true#M278...

CCSM R77/R80/ELITE
0 Kudos
_Val_
Admin
Admin
‎2022-11-28 05:37 AM

I would suggest checking internet connectivity from the VSX cluster, including VS0. Check that DNS is working, and connections from your VSX GWs to Internet are not blocked. 

0 Kudos
xiro
Contributor
‎2022-11-28 07:40 AM
In response to _Val_

the vsx is connected directly to the internet (nothing in between), all connections and checks are fine...

0 Kudos
_Val_
Admin
Admin
‎2022-11-29 01:27 AM
In response to xiro

Then, if you cannot find any obvious issue, please take it with TAC.

According to your description, it sounds like a connectivity issue causing a delay with certificate validation, but it might be also something else. Aks support to look into this.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events