@Wolfgang  
only default predefined rule

Did you install the policy after enabling HTTPS Inspection in the FW object? 🙂

I'm new in checkpoint environment 😁, but if you mean it (see screenshot) then yes

No proxy not used, if i right you understand

Yes, gateway inline en route to the internet. Checked Network topology, and External interface set as External zone (it's has not been mark as External zone), install policy, but it's did not affect

Not sure that right understand, but create bypass "test rule" and enable log tracking:

And now in logs & monitor tab if set filter as HTTPS Inspection may be view this:

But unfortunately certificate not substituted after that
--------
PS English is not my native language, so please be kind to my mistakes )))

You might wanna redact the public IPs next time and don't worry about your english 🙂 Your Interface names look strange to me, do they match the names as configured on the gateway OS?  Can you switch the HTTPS Inspection rules around?

In gateway OS interface have this names, they don't match with names in SmartConsole:


With inspections rules, i try some experiments

This looks good. HTTPS inspection catches the traffic, but it‘s bypassed regarding your rule. Something with defining the „internet“ as destination in your second rule does work like you want. Have a look at @Danny great post  Properly defining the Internet within a security policy 

You can try to define another rule first with your client as source and destination any with action „inspect“ to see if this connection will be intercepted.

I'm try to define first rule with destination any instead "Internet" for my client machine, but in logs not showing record with "inspect" action for Https inspection. Of course 😀 after create rule and install policy, tried to open some https sites in Chrome

By the way, your last rule in the HTTPS Inspection policy should be any any bypass.
Without that, you very likely will have performance issues 

It's another topic but to me in newer versions of the Smart Console it should be the default behaviour with a warning message if it doesn't exist, similar to the message if an inline layer is missing a cleanup rule. It doesn't make sense to have Tech Talks explaining that it's best practices to have any/any/bypass to prevent performance issues due to undefined sessions and have the system out of the box doing the exact opposite, causing issues to unsuspecting customers.

Agree cold heartedly.

I have tried all of this stuff but I still cannot figure out by the https inspection is not inspecting. it shows bypassing logs but no inspection logs

See if my post below helps, if not, we can do remote. I have perfectly working ssl inspection lab.

Andy

https://community.checkpoint.com/t5/Security-Gateways/Https-inspection-tip/m-p/219139

hi Andy, Thank you very much for you help. yes a remote session would be very helpful. here is what I did to configure https inspection and let me know if there something that I missed : 

I tried in my lab it does not seem to "inspect" traffic. when I set the https policy to inspect I do not see any logs of inspection but when I set it to bypass I see the logs of bypassing.

1. I enbaled application and url filtering blade
2. enabled https inspection. created the certificate and exported it and isntalled it on the client machine. I checked the browser certificate repository to make sure taht the certificate was installed and it was.
3. enabled the application and url filtering on the access policy
4. set the https policy to any any inspect and log
5. installed access policy

when I visit https website and I try to check the logs to see the inspection, I don't see anything. and on the browser when I click to which certificate is being used I don't see the one that I created.

Just came back from long bike ride, saw your update 🙂

Anyway, since Im on call with work for this and next weekend, I usually do some labs on Sundays anyway, so let me know, happy to do remote and help you.

Just message me directly, we can do zoom. I have my private gmail one, as my company uses teams, but its good for 40 mins and if we need another one, we just wait 10 mins and "fire up" next session.

Let me know.

Best,

Andy

Thank you for the remote session Andy that was very helpful as you have managed to find the solution.

as I may believe the solution was to create another layer with application and url filtering enabled but you also mentioned that such could be accomplished on the same layer but its perefable to do it on another layer.  and also to have the "fail mode"  on "fail close block all requests"

thank you very luch again

Its pleasure to help man, any time. Now, I will go eat some "home made" Mcdonalds fries 🤣🤣

Andy