Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Laxi_D
Contributor

HTTPS inspection in Proxy environment

We have proxy server which is processing all https and http traffic. is there any best practise to enable https inspection on edge checkpoint gateway

5 Replies
PhoneBoy
Admin
Admin

You would treat the proxy server just as a client, which means configuring it to trust the CA certificate Check Point uses for HTTPS Inspection.

Hugo_vd_Kooij
Advisor

There is a potential pitfall there. From the perspective of the firewall it's 1 client doing a lot of HTTP and HTTPS sessions. That might get you into trouble where you overload 1 worker and get poor responses.

I strongly suggest you enable Dynamic dispatching as detaild in sk105261 : CoreXL Dynamic Dispatcher in R77.30 / R80.10 and above as it will ruin your day if you start doing HTTPS inspection without it and your gateway gets hit by all that proxy traffic.

Also if you do HTTPS inspection on the proxy .... You might not want to do it again on the gateway. It will ruin your response times as you may notice as people find that webpages load slower.

As with anything in live: Just give it some though before you start implementing it. There is definitely more to it then meets the eye.

<< We make miracles happen while you wait. The impossible jobs take just a wee bit longer. >>
Laxi_D
Contributor

Main reason for activating https inspection on firewall is Sand Blast Appliance. Without https inspection threat emulation is in vain, right?

0 Kudos
PhoneBoy
Admin
Admin

You're going to miss a bunch of potential threats without HTTPS Inspection, yes.

Albert_Wilkes
Collaborator

Consider having your proxy in a DMZ so the CP sees the proxied ("CONNECT" ) request rather than an encrypted tunnel only as it will have an impact on whether the CP will be able to learn the actual hostname or just the certificate information. This is particularly important for correctly logging or bypassing sites that are hosted on a site like cloudflare where the logging and bypassing information would otherwise only show cloudflare rather than the actual website. See my research here https://community.checkpoint.com/thread/7621-https-inspection-real-life-examples-and-caveats-in-r773...  

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events