We have proxy server which is processing all https and http traffic. is there any best practise to enable https inspection on edge checkpoint gateway
You would treat the proxy server just as a client, which means configuring it to trust the CA certificate Check Point uses for HTTPS Inspection.
There is a potential pitfall there. From the perspective of the firewall it's 1 client doing a lot of HTTP and HTTPS sessions. That might get you into trouble where you overload 1 worker and get poor responses.
I strongly suggest you enable Dynamic dispatching as detaild in sk105261 : CoreXL Dynamic Dispatcher in R77.30 / R80.10 and above as it will ruin your day if you start doing HTTPS inspection without it and your gateway gets hit by all that proxy traffic.
Also if you do HTTPS inspection on the proxy .... You might not want to do it again on the gateway. It will ruin your response times as you may notice as people find that webpages load slower.
As with anything in live: Just give it some though before you start implementing it. There is definitely more to it then meets the eye.
Main reason for activating https inspection on firewall is Sand Blast Appliance. Without https inspection threat emulation is in vain, right?
You're going to miss a bunch of potential threats without HTTPS Inspection, yes.
Consider having your proxy in a DMZ so the CP sees the proxied ("CONNECT" ) request rather than an encrypted tunnel only as it will have an impact on whether the CP will be able to learn the actual hostname or just the certificate information. This is particularly important for correctly logging or bypassing sites that are hosted on a site like cloudflare where the logging and bypassing information would otherwise only show cloudflare rather than the actual website. See my research here HTTPS inspection in R77.30 and R80.10 with various combinations of proxy and probe bypass
Retrieving data ...