Solved: Re: HTTPS Inspection Bypass when using Security Ga...

Nenad_D · ‎2023-03-09

Hello community,

I would like to know whether there is a way to configure HTTPS Inspection Bypass for a certain domain (e.g. google.com) when using Security Gateway (in our case a virtual system / VSX environment) as HTTPS Proxy (non-transparent)!?

When configuring a bypass rule in HTTPS Inspection Policy with Security Gateway / Virtual System as Destination then it works, but then all relevant traffic will bypass HTTPS Inspection (for traffic from client to Security Gateway / HTTPS Proxy) and that's not desired configuration.

R81.10 JHF Take 79 is installed on the Security Gateways and Management Server.

Thanks in advance for your help!

Best Regards

Nenad

PhoneBoy · ‎2023-03-10

HTTPS Inspection always sees the gateway as the destination when non-transparent proxy mode is used.
As such, the HTTPS Inspection policy will never match another destination.
This is expected behavior.
https://support.checkpoint.com/results/sk/sk108706

View solution in original post

the_rock · ‎2023-03-09

I remember testing this back in R77 versions, but not in R80+, so trying to remember how I made it work. I know I had to make some modifications on the gateway settings in smart console...can you send a screenshot of how https proxy tab is configured on gateway object?

Cheers,

Andy

Nenad_D · ‎2023-03-09

Hi Andy,

here a screenshot of the HTTP Proxy tab on the Security Gateway / Virtual System object:

Thanks in advance for your help!

Best Regards

Nenad

the_rock · ‎2023-03-09

No problem, thank you. I will have to check and see if I had to modify the actual ports at the bottom, so give me some time. Apologies, this was probably more than 7 years ago, so will need to see if I still have details on how I did this.

the_rock · ‎2023-03-09

Ok, just made it work by modifying below:

Nenad_D · ‎2023-03-10

Hi Andy,

thanks very much for sharing the information.

But I think I didn't get it how that will help to configure certain HTTPS Inspection Bypass rules when using the proxy.
Anything else I need to configure?
Could you please explain?

Thanks in advance!

Best Regards

Nenad

the_rock · ‎2023-03-10

From notes I have, that was the only change I had to make on CP side. Can you send a screenshot of bypass rule(s)?

Nenad_D · ‎2023-03-10

Hi Andy,

a common bypass rule looks like the following:

I will check whether it works with proxy settings you mentioned.

Thanks!

Best Regards
Nenad

the_rock · ‎2023-03-10

Sounds good, yea, bypass rule looks right to me. If it still does not work, I will dig further and see if there was anything else I had to change.

ANdy

PhoneBoy · ‎2023-03-10

HTTPS Inspection always sees the gateway as the destination when non-transparent proxy mode is used.
As such, the HTTPS Inspection policy will never match another destination.
This is expected behavior.
https://support.checkpoint.com/results/sk/sk108706

the_rock · ‎2023-03-10

Interesting...I tested this today in my R81.20 lab and when gateway is configured as non-transparent proxy, the https bypass rules worked just fine.

Are you a member of CheckMates?

HTTPS Inspection Bypass when using Security Gateway as HTTPS Proxy