Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SAT_S
Contributor
Jump to solution

How to configure Check Point Security Gateway as HTTP/HTTPS Proxy

Can Anybody PLease help me on this How to configure Check Point Security Gateway as HTTP/HTTPS Proxy

Thanks In advance

1 Solution

Accepted Solutions
Luciano_Miguel
Contributor

That's it , now how can we solve this ?

View solution in original post

0 Kudos
60 Replies
Peter_Sandkuijl
Employee
Employee
Andrejs__Андрей
Contributor

hello Peter,

from sk "...Transparent - All HTTP traffic on specified ports and interfaces is intercepted and sent to a proxy..."

what does it (sent to a proxy) mean?
proxy as a deamon or external box?
thank You!
--
ak.

"

0 Kudos
Peter_Sandkuijl
Employee
Employee

This means a process runs on the Check Point gateway that acts as a proxy. No 3rd party proxy would be required.

SAT_S
Contributor

Thanks peter this was a great help....

0 Kudos
Andrejs__Андрей
Contributor

and excellent work Sergei Shir and the SecureKnowledge Team!

they updated that sk110013!

"...and processed by the Proxy code in the Security Gateway..."

Thank You,

--

ak.

SAT_S
Contributor

yes but i am not able to view it as m getting this pop up

0 Kudos
Peter_Sandkuijl
Employee
Employee

As a picture typically says more than a thousand words:

SAT_S
Contributor

Thanks Peter , do i also need to configure any outbound or inbound policy against this..

0 Kudos
Peter_Sandkuijl
Employee
Employee

By checking the box, implied rules are put in place. You need to create rules as you usually would (internal lan > internet > http+https > accept). Take into account that the gateway creates the outbound (proxied) connection from the gateway and requires a DNS to resolve against.

SAT_S
Contributor

Hi peter

Bothering u again.. When creating a rule shud i  select service as http 80, https 443 or http+https proxy 8080

SAT

0 Kudos
PhoneBoy
Admin
Admin

http/https only should be sufficient.

The http-proxy service would allow access to other proxies, which I assume you don't want Smiley Happy

SAT_S
Contributor

what is the diffrence in transparent and non transparent proxy how they behave???

0 Kudos
PhoneBoy
Admin
Admin

In non-transparent mode, you must explicitly define the gateway as a proxy in the browser (directly or with a proxy.pac file stored on a different webserver). Transparent mode intercepts HTTP traffic on the specified ports and interfaces and sends it through the proxy without explicit configuration on the client side.

Tze_How_Tan
Employee Employee
Employee

Hi Dameon,

in non-transparent mode, the security gateway will break the http/https connection (meaning 2 connections, from client to security gateway, security gateway to http/https web server).

1. my understanding is, in order to intercept the web traffic, the security gateway should listen to tcp/8080. when i login to the gaia os cli expert level, i did not see a listening port at tcp/8080 (netstat -an) or is there other commands to view this?

2. using http/https proxy, the gateway show spawn off a httpd process to intercept web request at tcp/8080. so may i know what is the process name and how to view this process from gaia os cli expert level?

Thank You

TH

0 Kudos
PhoneBoy
Admin
Admin

netstat doesn't show it because it's not a process that is listening on that port.

The firewall kernel intercepts the traffic and "folds" it to fwd, which listens on a number of ports (not tcp/8080).

Tze_How_Tan
Employee Employee
Employee

Thanks Dameon for the clarification.

0 Kudos
Olga_Kuts
Advisor

If we can not test anything through netstat, how can we verify that the proxy works correctly? And how correctly to troubleshoot it?
In our case, we see logs, there are no deny actions, but the user does not have access to the Internet. On the test environment, I see this line:

[Expert@GW]# netstat | grep 8080
unix 2 [ ] DGRAM 8080 /tmp/pmsock

But in another environment I don't see it, and proxy doesn't work.

0 Kudos
PhoneBoy
Admin
Admin

The most obvious first step would be to telnet to the firewall on port 8080 and see if it answers.

If it doesn't answer, then it might be a configuration issue or it might be something else.

Worth engaging the TAC in any case.

0 Kudos
Oscar_Medina
Explorer

Hi Dameon,

I have a quick question; I'd like to configure the Gateway as a proxy as stated on this thread.  However, in my case, I am using public ip addresses for internal resources.  The reason, is that in this enviromnent (Azure), customer has overlapping vNETS.

Is it possible to have Gateway work with public ip addresses for internal resources while using proxy mode? I can't get it to work in this scenario sadly.

0 Kudos
PhoneBoy
Admin
Admin

Whether the IP addresses are public or private shouldn't matter from our point of view.

Where you're going to have problems is if the IP addresses between public and private overlap in any way.

It's routing 101: how do I know which a.b.c.d address you're referring to?

This is generally solved with NAT rules that translate both the source and destination.

Oscar_Medina
Explorer

Thanks Dameon, yes we are handling the NAT rules as well.  I've got it to work.  Time to make this work in a multi Azure VNET as we have a limitation that we cannot peer them VNETS for internal BS, hence this approach with the public IPs.

Vladimir
Champion
Champion

I am a bit puzzled by the behavior of Transparent Proxy:

And yet, I could not verify that the proxy is working.

There are no log entries signifying its utilization and online proxy checkers do not indicate that the proxy is being used:

I have enabled the headers for explicit purpose of identifying that the proxy is working, but do not see any confirmations to that effect. 

0 Kudos
PhoneBoy
Admin
Admin

Is App Control enabled in this situation?

0 Kudos
Vladimir
Champion
Champion

The blade is enabled, but the rule governing egress traffic from this host/network is a basic net--to--any--allow--log:

0 Kudos
PhoneBoy
Admin
Admin

You probably need to set the log to Detailed or Extended Log (versus log) which will activate App Control for that rule.

0 Kudos
Vladimir
Champion
Champion

I do not want to activate app control for that rule: the proxy function is unrelated to App Control/URLF, I simply want to verify that it is, in fact, working.

According to the external proxy tests, no proxy headers are being attached, which is not an expected behavior.

0 Kudos
PhoneBoy
Admin
Admin

The feature requires App Control/URLF to the best of my knowledge.

0 Kudos
Vladimir
Champion
Champion

Let's suppose it does, for the sake of argument. It is licensed and enabled on that gateway:

0 Kudos
PhoneBoy
Admin
Admin

Right, but it's not enabled for the rule that's being matched.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events