Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Fabz
Contributor

SSL Inspection - High Utilization

Hi Checkmates,

I enable  SSLinspection for outbound, then facing high utilization from 30% to 65%. is it normal?

From this im trying to tuning the current configuration because too many policy and some of the policy is duplicate.

In the CP, what is going to check first? Access Control Policy or HTTP Inspection?

  • Access Control > HTTP Inspection > Threat Prevention. is it correct?

 

and last, does anyone know how to anticipate HSTS error after enable HTTP Inpsection? because some of web got this error message and cant open. Thanks!!

0 Kudos
3 Replies
the_rock
Legend
Legend

Your best bet is to use below sk to troubleshoot, as well as wstlsd debug:

https://support.checkpoint.com/results/sk/sk112066

Whats your utilization when https inspection is off?

Andy

0 Kudos
Chris_Atkinson
Employee Employee
Employee

Yes there is an overhead involved depending on your traffic mix & configuration.

To start review your HTTPS inspection policy - refer:

https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Setup/td-p/83504#M27820

https://community.checkpoint.com/t5/Management/HTTPS-Inspection-Policy-Rule-Order/td-p/128681#M27952

From there investigating further with HCP might yield additional clues.

CCSM R77/R80/ELITE
0 Kudos
Timothy_Hall
Champion
Champion

There will definitely be a significant amount of overhead incurred due to the overhead of HTTPS encrypt/decrypt operations, this is not really avoidable or offloadable into silicon/hardware at this time.

Traffic must be accepted by the Firewall/Network policy layer before the HTTPS Inspection Policy is examined, and it is matched against the pre-NAT packet IP addresses, just like the Firewall/Network policy layer.

Overhead will also increase due to there now being more decrypted traffic for the various blades to inspect, whereas before HTTPS Inspection the traffic was encrypted between client and server and could not be inspected at all.  This can be mitigated somewhat by configuring the Blades column of the HTTPS Inspection policy to limit what blades inspect which decrypted traffic, but this is rarely employed.

However a truly amazing amount of overhead can be saved by properly ordering your HTTPS Inspection Policy rules to avoid the invocation of Medium Path Active Streaming for Bypass actions wherever possible.  It is a bit complicated to explain, so here are the current pages related to this topic from my R81.20 Gateway Performance Optimization Course:

https1.pnghttps2.pnghttps3.pnghttps4.png

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events