Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
kulwinder_barhe
Explorer

HTTPS Inspection for Proxy environment

What are the minimum hardware requirements and support for HTTPS Inspection. I have a client with 2200 hardware and 77.20 firmware. Any specific Pros and Cons I need to know as my client is having 2 web servers in proxy environment and lot of issues when we are enabling this feature. Do I need to upgrade firmware ?

Thank you

0 Kudos
5 Replies
FedericoMeiners
Advisor

Hello,

Both your appliance and OS version are quite old:

  • The 2200 appliance has support until 2022 but the hardware is probably outdated for today requirements. If you are going to keep using this I strongly advise to add more RAM to it if possible.
  • R77.20 is totally outdated, it doesn't have support since August 2017. Supported versions are R80.10, R80.20 and R80.30. All three of them have MANY improvements to SSL Inspection. If it's a stand alone deployment then you will not be able to upgrade to these versions.

Another point to check if how many blades do you have enabled and throughput. Last but not last if you have the management server inside your 2200 (Stand alone deployment) I hardly doubt that you have resources to enable SSL Inspection.

You can refer to my post which has some tips in how to implement SSL Inspection: Outbound SSL Inspection: A war story 

To summarize:

  1. Check current CPU and memory utilization with SmartView Monitor, output from top and free -m. If CPU is average %45 or you have spikes and/or you are swapping memory then it's a bad idea.
  2. Check active blades and current throughput and compare it with the 2200 datasheet
  3. Use R80.XX - You cannot do this if you have the management on the same appliance.

Hope it helps

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
PhoneBoy
Admin
Admin

Not sure why this was flagged as spam, but is not now.
0 Kudos
FedericoMeiners
Advisor

@kulwinder_barhe 

My previous post with a lot of more detail was tagged as spam, until it is recovered here is my advise:

  • HTTPS Inspection is really resource intensive.
  • Appliance 2200 is old, you will probably need to add more RAM for SSL Inspection (Check with free -m / top / Smartview Monitor).
  • R77.20 is out of support since 2017, you will need R80.10 / R80.20 / R80.30.
  • R80.XX comes with tons of improvements for SSL Inspection.
  • If you have a stand alone deployment (Management + GW in the same box) then you cannot upgrade to R80.XX. You will need to separate them (Distributed deployment)
  • Reffer to my post Outbound SSL Inspection: A war story for advises on deploying HTTPS Inspection.

Hope it helps

___

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos
PhoneBoy
Admin
Admin

If you want to run HTTPS Inspection, you really need to be running on the latest release (R80.30).
If your 2200 has 4GB, you can do that, assuming Security Management is on a different appliance.
Even so, the 2200 has fairly limited CPU and HTTPS Inspection makes extensive use of it.
I would strongly consider replacing the 2200 with a newer, stronger appliance.
kulwinder_barhe
Explorer

Thank you !

0 Kudos