Create a Post
Showing results for 
Search instead for 
Did you mean: 

SSL Inspection - High Utilization

Hi Checkmates,

I enable  SSLinspection for outbound, then facing high utilization from 30% to 65%. is it normal?

From this im trying to tuning the current configuration because too many policy and some of the policy is duplicate.

In the CP, what is going to check first? Access Control Policy or HTTP Inspection?

  • Access Control > HTTP Inspection > Threat Prevention. is it correct?


and last, does anyone know how to anticipate HSTS error after enable HTTP Inpsection? because some of web got this error message and cant open. Thanks!!

0 Kudos
3 Replies

Your best bet is to use below sk to troubleshoot, as well as wstlsd debug:

Whats your utilization when https inspection is off?


0 Kudos
Employee Employee

Yes there is an overhead involved depending on your traffic mix & configuration.

To start review your HTTPS inspection policy - refer:

From there investigating further with HCP might yield additional clues.

0 Kudos

There will definitely be a significant amount of overhead incurred due to the overhead of HTTPS encrypt/decrypt operations, this is not really avoidable or offloadable into silicon/hardware at this time.

Traffic must be accepted by the Firewall/Network policy layer before the HTTPS Inspection Policy is examined, and it is matched against the pre-NAT packet IP addresses, just like the Firewall/Network policy layer.

Overhead will also increase due to there now being more decrypted traffic for the various blades to inspect, whereas before HTTPS Inspection the traffic was encrypted between client and server and could not be inspected at all.  This can be mitigated somewhat by configuring the Blades column of the HTTPS Inspection policy to limit what blades inspect which decrypted traffic, but this is rarely employed.

However a truly amazing amount of overhead can be saved by properly ordering your HTTPS Inspection Policy rules to avoid the invocation of Medium Path Active Streaming for Bypass actions wherever possible.  It is a bit complicated to explain, so here are the current pages related to this topic from my R81.20 Gateway Performance Optimization Course:


Gateway Performance Optimization R81.20 Course
now available at
0 Kudos


Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events