This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Fabz
Contributor
‎2023-07-20 09:28 AM

SSL Inspection - High Utilization

Hi Checkmates,

I enable  SSLinspection for outbound, then facing high utilization from 30% to 65%. is it normal?

From this im trying to tuning the current configuration because too many policy and some of the policy is duplicate.

In the CP, what is going to check first? Access Control Policy or HTTP Inspection?

  • Access Control > HTTP Inspection > Threat Prevention. is it correct?

 

and last, does anyone know how to anticipate HSTS error after enable HTTP Inpsection? because some of web got this error message and cant open. Thanks!!

0 Kudos
3 Replies
the_rock
Legend
Legend
‎2023-07-20 09:49 AM

Your best bet is to use below sk to troubleshoot, as well as wstlsd debug:

https://support.checkpoint.com/results/sk/sk112066

Whats your utilization when https inspection is off?

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2023-07-20 04:27 PM

Yes there is an overhead involved depending on your traffic mix & configuration.

To start review your HTTPS inspection policy - refer:

https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Setup/td-p/83504#M27820

https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Policy-Rule-Order/td-p/128681#M27952

From there investigating further with HCP might yield additional clues.

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2023-07-21 08:05 AM

There will definitely be a significant amount of overhead incurred due to the overhead of HTTPS encrypt/decrypt operations, this is not really avoidable or offloadable into silicon/hardware at this time.

Traffic must be accepted by the Firewall/Network policy layer before the HTTPS Inspection Policy is examined, and it is matched against the pre-NAT packet IP addresses, just like the Firewall/Network policy layer.

Overhead will also increase due to there now being more decrypted traffic for the various blades to inspect, whereas before HTTPS Inspection the traffic was encrypted between client and server and could not be inspected at all.  This can be mitigated somewhat by configuring the Blades column of the HTTPS Inspection policy to limit what blades inspect which decrypted traffic, but this is rarely employed.

However a truly amazing amount of overhead can be saved by properly ordering your HTTPS Inspection Policy rules to avoid the invocation of Medium Path Active Streaming for Bypass actions wherever possible.  It is a bit complicated to explain, so here are the current pages related to this topic from my R81.20 Gateway Performance Optimization Course:

https1.pnghttps2.pnghttps3.pnghttps4.png

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events
    Top