This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Help

Who rated this post

cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
_Val_
Admin
Admin
‎2025-10-27 06:24 AM

Software Blade effectiveness with and without HTTPS Inspection - sk184185

This new Secureknowledge article, sk184185, answers one very frequent question: Why do you want to enable HTTPS Inspection on your security GWs.

Here is what the SK says (quoting in full):

Without HTTPS Inspection, the Security Gateway can only inspect metadata such as domain names and TLS certificates. Most Threat Prevention blades cannot inspect encrypted payloads. With HTTPS Inspection enabled, the gateway decrypts traffic and allows full inspection by all blades.

Recommendation: Enable HTTPS Inspection for outbound traffic. Exclude sensitive domains such as banking sites or internal services to avoid privacy and performance issues.

Warning: HTTPS Inspection may impact performance and user privacy. Test in a lab environment before deployment.


Real-World Example

A user clicks a phishing link: example.com/login

  • Without HTTPS Inspection:
    • URL Filtering blocks known malicious domains.
    • Anti-Bot uses reputation and traffic patterns.
    • Encrypted payload bypasses AV/IPS.
  • With HTTPS Inspection:
    • Zero-Phishing analyses the page and injects browser protections.
    • AV/IPS inspect files and exploits inside the page.


Blade Behavior Comparison

Feature Without HTTPS Inspection With HTTPS Inspection Notes
IPS Minimal: TLS anomalies only Full payload inspection Requires decrypted content
Anti-Bot / C2 Detection DNS, traffic patterns, domain reputation Adds payload inspection for beaconing Detects hidden C2 patterns in HTTP POST/GET
Anti-Bot / Reputation IP/domain reputation, TLS cert anomalies No additional benefit Reputation is metadata-driven
Application Control Partial: SNI, IP ranges Full identification via payload Differentiates app functions (e.g., chat vs. video)
Application Control - UserCheck Not supported Supported via HTTP redirect Requires decryption
URL Filtering Domain-based filtering Granular filtering by path, parameters Blocking example.com/badpage requires decryption
URL Filtering - UserCheck Not supported Supported via HTTP redirect Requires decryption
Anti-Virus Limited on URL based filtering Scans files inside HTTPS Requires decrypted payload
Threat Emulation Not available Extracts files for sandboxing Requires decryption
Threat Extraction Not available Sanitizes active content Requires decryption
Zero-Phishing Limited SNI-based enforcement (R82.10) Full page analysis and JS injection In-browser protection requires HTTPS Inspection

 

(1)
Who rated this post