Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
flachance
Advisor
Jump to solution

HTTPS inspection causing timeout

Hi,

 

Firewall is running R80.20.

We have a web server used for clients to upload files.

Https inspection is enabled and setup for incoming connections to this server.

When they try to upload large files around 350MB it times out.

If I disable https inspection it works. Is there any limitations for HTTPS inspection and large file?

 

Thanks

Francis

0 Kudos
1 Solution

Accepted Solutions
flachance
Advisor

Looks like the issue was with HTTP/2. TAC advised to disable it with 

  1. ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 1
  2. cpstop;cpstart

Although HTTP/2 is supposed to be supported, it did fix our issue.

View solution in original post

0 Kudos
20 Replies
Lesley
Leader Leader
Leader

Version is to old to give any good advice. 

Maybe start with upgrade if not possible you can check: https://support.checkpoint.com/results/sk/sk150933

-------
If you like this post please give a thumbs up(kudo)! 🙂
0 Kudos
flachance
Advisor

Oups I did it again. It's a typo. We're at R81.20

0 Kudos
the_rock
Legend
Legend

Yea, thats a tricky problem, specially if its inbound https inspection. I would personally open TAC case, but they will probabl;y ask you to debug wstlsd process.

Andy

https://support.checkpoint.com/results/sk/sk112066

0 Kudos
PhoneBoy
Admin
Admin

It may not be HTTPS Inspection, but one of the other Software Blades.
What is enabled here?

0 Kudos
flachance
Advisor

IPSec VPN, Mobile Access, Application Control, URL filtering, Identity Awareness, Cluster XL, Monitoring, IPS, Anti-Bot, Anti-Virus.

As I get more detail about this, It's not just for very large file upload. It's for any file upload but it's intermittent, sometime it works sometime it doesn't. Though the larger the file, the more it seems to fail.

But if I disable HTTPS inspection for incoming connections to that web server, it works every time.

0 Kudos
the_rock
Legend
Legend

I would still follow the sk I gave you, because it may help you lots before opening TAC case, as Im fairly sure they would ask you to run that debug.

Andy

0 Kudos
flachance
Advisor

Yes, I did that and opened a ticket. We'll see what they say.

0 Kudos
the_rock
Legend
Legend

To help you out further, if you are allowed to, I am happy to check the debug myself, as long as you are allowed to send it.

Best,

Andy

0 Kudos
flachance
Advisor

Thanks Andy, I appreciate the offer. I don't think I'm allowed so I'll wait for TAC's answer. I'll post updates when they get back to me.

 

0 Kudos
the_rock
Legend
Legend

Totally fair, I dont want you to be in trouble because of that. Let us know what TAC says. Hope there is quick solution.

I am running really good https inspection lab on R81.20, so will log in later and see if there are some settings in legacy dashboard that could cause this. Will take some screenshots and send it over, just working on some Azure stuff now, so may be in couple hours or so.

Best,

Andy

the_rock
Legend
Legend

K, just taking a break from Azure stuff, man, its like a mammoth of things lol

Anywho, I attached what I was referring to. Would you mind please let us know how you have those configured?

Best,

Andy

0 Kudos
flachance
Advisor

HTTPSValidationSettings.JPGCapture1.JPG

0 Kudos
the_rock
Legend
Legend

Looks right to me...anyway, lets wait see what TAC says. Im super curious how this gets solved.

Andy

0 Kudos
PhoneBoy
Admin
Admin

What Threat Prevention profile applies to this connection?
Is it a custom profile or one of the standard ones (e.g. "Optimized")?
Or are you using Autonomous Threat Prevention?

0 Kudos
flachance
Advisor

custom. Capture3.JPG

0 Kudos
the_rock
Legend
Legend

That has to work 100%. I have client that implemented inbound https inspection on R81.10 and there were no issues. I would expect it to be better in R81.20

Andy

0 Kudos
Alex-
Leader Leader
Leader

I would change Low Confidence from Detect to Inactive.

0 Kudos
flachance
Advisor

You know, that's not a bad idea at all. I don't recall ever having any use for Low Confidence detection.

0 Kudos
flachance
Advisor

Looks like the issue was with HTTP/2. TAC advised to disable it with 

  1. ckp_regedit -a SOFTWARE\\CheckPoint\\FW1 IGNORE_ALPN_EXTENSION 1
  2. cpstop;cpstart

Although HTTP/2 is supposed to be supported, it did fix our issue.

0 Kudos
the_rock
Legend
Legend

Thats really good to know, thanks for letting us know.

 

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events