Thank you very much for your reply. The video is very informative. So does the rest of the information.

Unfortunately no solution to our problem has been found yet

Hello, the previous Take showed the same picture.

I can confirm that we have the same issue with two of our customers after upgrade to Take 118. Did you open a TAC ticket?

With the previous patch, the situation was the same. The transition to 118 did not change anything. We turned to TAC. We are waiting for a decision.

All inspection settings were made according to the guidelines and best practices. Initially, we used a certificate issued by our CA for Check Point, namely a certificate for a subordinate CA. Accordingly, client machines in the domain trusted him. Clients use Windows OS. The preferred browser is Chrome, but some also use FireFox, which needs to be additionally configured so that it accesses the system certificate store. As a result, the certificates are where they should be, clients trust them. We turn on the inspection and observe strange behavior when opening web pages. Something is opend, something is not, something is partial. In search of reasons, we changed the certificate to a self-signed CheskPoint, extended it to clients, but unfortunately, the picture remained the same. 

One could say that the load for the 6200 is too heavy. 300 users. But according to CPView, the load on the cores is 35 percent on average, there is enough memory.

Is it safe to presume that you have updated the trusted root CA store on Check Point (https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut... )?

If it is done, can you post the sanitized HTTPS inspection policy for us to take a look at?

Do you, perchance, block QUIC/HTTP3 (UDP on port 443)?

Also, it'll be helpful if you can provide a few sites that you are experiencing issues with.

P.S. Just in case, can you confirm that there is no EDR or AV on the clients that is also performing HTTPS inspection?

Can you check this in the sites that are successfully loading and those that are not and report your findings?

Problems mainly with search engines, large aggregators ...

Yes, CA list is up to date

QUIC is blocked by cleanup rule of firewall

AV does not perform HTTPS inspection

If the site does not load correctly, everything is fine on the security tab.

Hi there, experiencing same issues.

Did you come across any solution for this issue?

Hello,

we have a Hotfix running on Take 125. Our SR was SR#6-0003021978.

Regards,

Jan

We recently turned on HTTPS Inspection and used Best Practice setup. We are using a Gateway self-signed cert and have pushed it out to clients. Our HTTPS Inspection policy is applied on a very small sub set of devices and networks for testing purposes before applying it to more enterprise wide. We have also noticed some strange behavior when opening web pages. Some pages may load as expected, some pages do not load, and some pages may only load partially. The partially loading seems to be the most common but all of it is somewhat random in nature and not related to specific sites. When either a page doesn't load or somewhat loads a simple refresh will make the page load. The partial loading does seem to be most present on sites that may have more content delivery images and links present. That is where you may see partial images load. This behavior can be noticed across all web browsers. We are hesitant to push this out to more networks until finding a resolution.

I just came across this article in my research and see some similarities to our setup and experience. We have engaged TAC. In the meantime hoping to see if anyone has additional feedback or possible resolution in their scenario.

Many Thanks.

I suggest you ask in a separate post and ask for guidance. There is no need to highjack a someone else's thread.

Did you get any PMTR number for this issue? 

Hi Jan,

Did the hotfix solve your issue? 

Thanks

Hello,

yes the hotfix resolved our issue. But with take 87 that we are running now we dont't have to install a hotfix anymore.

Regards,

Jan

Any Drops, or HTTPS Inspection Logs associated with the traffic that might indicate an error/failure/drop?

Some Examples:

• Internal system error in HTTPS Inspection (Error Code: 1)
• Internal system error in HTTPS Inspection (Error Code: 3)
• Internal system error in HTTPS Inspection due to categorization service timeout
• Internal system error in HTTPS Inspection process during SSL negotiation

If there's nothing clearly seen here... It may be worth taking a packet capture from the Client PC/Firewall to see how the TCP Handshake is going, How the Server/Client Hellos are working, TLS, etc..

You can compare this to a packet capture of the same site without HTTPS inspection enabled, compare/contrast for better understanding of "where" it is breaking.

Also a side-note that might not apply: Sometimes we can see RAD (Resource Advisor) Timeout/Error for Application Control/URL Filtering causing holdups while the HTTPS inspection is working fine.