This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
XC
Explorer
‎2019-10-29 05:16 AM

Proxy settings

Hi,

Using R77.30

I'm getting the following log entry when attempting to access a website using https that's been allowed in the policy:

 

"Proxy: Internal error; Connection was rejected due to internal error"

 

The firewall cluster is set up to use the gateway as a HTTP/HTTPS Proxy in Non Transparent mode

Specific interfaces - inlcudes the LAN interface

 

Ports 8081 and 8080

 

Does anything need to be set on the client side to bypass the proxy, or any other changes required on the firewall?

Many thanks for any advice on this.

 

0 Kudos
6 Replies
PhoneBoy
Admin
Admin
‎2019-10-31 03:46 AM

Can you access the same URL via a different connection?
Is the Security Gateway able to resolve the DNS query for the same URL?
See: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...
0 Kudos
XC
Explorer
‎2019-10-31 04:35 AM
In response to PhoneBoy

Hi PhoneBoy,

 

Thank you for your response, yes the URL can be accessed outside of our organisation on non LAN internet connection.

 

Unfortunately I don't have access to any Checkpoint support therefore the link doesn't really help.

 

Kind regards

XC

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-10-31 07:55 AM
In response to XC

Can you log onto the gateway and see if it is able to look up the DNS name?
That is suggested by the link I provided.
0 Kudos
XC
Explorer
‎2019-10-31 09:12 AM
In response to PhoneBoy

Hi, 

thanks, I logged on and no it doesn't look up the DNS name.

 

Cap3.JPG

The top lookup doesn't work but the bottom one does.

These are two different addresses hosted in AWS, the top one is a new site that needs to be accessed by users, the bottom one is the original one.

Rgds

XC

0 Kudos
Maarten_Sjouw
Champion
Champion
‎2019-10-31 05:12 AM

Why are you using the Gateway as a proxy? This has a huge impact on the load of your gateways, secureXL (accelleration) is completely bypassed.
The firewall needs to allow traffic from the clients to its interface on the ports 8080 and 8081 and from the gateways you need to allow all traffic to port 80 and 443 (and any other port that needs to be allowed).
In your application/urlf policy all destinations need to be empty.
Regards, Maarten
0 Kudos
XC
Explorer
‎2019-10-31 06:57 AM
In response to Maarten_Sjouw

Hi Maarten,

 

thank you for your input, this is how I inherited the system, I'm not overly familiar with Checkpoints having primarily worked with Cisco and Juniper previously.

 

The Application/URL filtering blade is allowing the traffic using a catch all rule at the bottom of the policy:

 

 
 

Cap1.JPGCap2.JPG

 

Thanks.

XC

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    In-Person

    Tue 18 Mar 2025 @ 09:30 AM (EET)

    CheckMates Live Greece
    In-Person

    Tue 25 Mar 2025 @ 09:00 AM (EDT)

    Canada In-Person Cloud Security with Hands-On CloudGuard Workshops!
    In-Person

    Tue 25 Mar 2025 @ 12:00 PM (MDT)

    Salt Lake City: CPX 2025 Recap
    In-Person

    Tue 08 Apr 2025 @ 12:00 PM (MDT)

    Denver: CPX 2025 Recap
    CheckMates Events
    li.common.scroll-to.top