CPUG: The Check Point User Group

Resources for the Check Point Community, by the Check Point Community.

First, I hope you're all well and staying safe.
Second, I want to give a "heads up" that you should see more activity here shortly, and maybe a few cosmetic changes.
I'll post more details to the "Announcements" forum soon, so be on the lookout. -E


Results 1 to 4 of 4

Thread: HTTPS inspection testing

  1. #1
    Join Date
    Rep Power

    Default HTTPS inspection testing

    I have some questions about HTTPS inspection and I'm hoping to find some guidance from this group. I've started piloting HTTPS inspection and have been running into quite a bit of problems. I've upgraded my test firewall to R77.30 and enabled the Probe Bypass per sk104717 at Checkpoint Support's recommendation. I am still finding a lot of applications that fail when using HTTPS inspection that I have to put in manual rules to bypass the filters.

    How many people are running HTTPS inspection on their firewalls? Are you doing it in production or just in a test environment?

    For those of you running HTTPS inspection, have you found that a lot of sites/applications don't work with it? For example, I had to bypass all of the Apple services we use (App Store, iTunes, iCloud) plus manually add rules to recategorize a number of Apple domains that don't show up under those categories. I'm concerned that if I'm having to whitelist this many applications and sites in my testing, that I'm going to have a lot of issues when I roll out inspection to the whole office or company.

    My policy bypasses Financial Services and Health categories to try and limit any PII information we get. We also bypass Web Conferencing because I found that they weren't working right with HTTPS inspection enabled. Do you have any other categories or common sites/applications that you have found don't work well with HTTPS inspection?

    Thanks for any help/suggestions/warnings!


  2. #2
    Join Date
    Netherlands, Europe
    Rep Power

    Default Re: HTTPS inspection testing

    We are working with a couple of our customers with Websense to do HTTPS decryption and one of those customers is now moving to Check Point.
    If you would know how many issues the customers have with Websense and HTTPS scanning, you would know what to expect, a huge number of sites that use client certificates don't work, financial sites exclude them.
    Furthermore you will exclude (which is a default at the bottom of the HTTPS policy page) all product upgrade links.
    Regards, Maarten.
    Triple MDS on R77.30, MDS on R80.10, VSX, GAIA.

  3. #3
    Join Date
    Rep Power

    Default Re: HTTPS inspection testing

    Since I posted the same exact thing awhile back I figured I would chime in. Transitioning from Cisco devices has been painful. Their product was mature and well developed. We ran full https inspection with very little issues. Categorization was usually dead on and if it was not their response time and explanations were very good.

    At this point the joke is what are we actually inspecting. We have many exceptions and bypasses in place. Many of them like choosing to bypass financial services for example had unintended consequences of causing other https bypasses to break. Support on this seems to be lacking in knowledge. Is it a third party system? I know their URL categorization is done by a 3rd party and it is comical how bad many of the categorizations are. (cyren.com)

    Overall I hope they make improvements. They are needed.

  4. #4
    Join Date
    Rep Power

    Default Re: HTTPS inspection testing

    We have a bunch of clients using https inspection, some have problems with a little number of applications with secure sync most of all (all the storage on cloud services) today I work a lot in a problem with Google Earth (GE) when Safe Search is enable this makes GE to not work when searching, the maps works ok, I think that this product needs more feed back by us to checkpoint.

Similar Threads

  1. HTTPS Inspection testing
    By aweldon in forum Application Control Blade
    Replies: 0
    Last Post: 2014-09-30, 11:29
  2. Https Inspection
    By wiz4rd in forum Application Control Blade
    Replies: 1
    Last Post: 2014-05-27, 16:08
  3. Https Inspection issue
    By nilsw007 in forum Advanced Networking & Clustering Blade
    Replies: 24
    Last Post: 2013-04-23, 01:29
  4. We're now testing HTTPS On This Discussion Board!
    By Barry J. Stiefel in forum About This Discussion Board
    Replies: 19
    Last Post: 2012-01-31, 09:58
  5. HTTPS Inspection Issues - 75.20
    By syntax53 in forum Content Security/Security Servers/CVP/UFP
    Replies: 4
    Last Post: 2011-11-16, 23:59


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts