HTTPS inspection testing

[jawillia]

I have some questions about HTTPS inspection and I'm hoping to find some guidance from this group. I've started piloting HTTPS inspection and have been running into quite a bit of problems. I've upgraded my test firewall to R77.30 and enabled the Probe Bypass per sk104717 at Checkpoint Support's recommendation. I am still finding a lot of applications that fail when using HTTPS inspection that I have to put in manual rules to bypass the filters.

How many people are running HTTPS inspection on their firewalls? Are you doing it in production or just in a test environment?

For those of you running HTTPS inspection, have you found that a lot of sites/applications don't work with it? For example, I had to bypass all of the Apple services we use (App Store, iTunes, iCloud) plus manually add rules to recategorize a number of Apple domains that don't show up under those categories. I'm concerned that if I'm having to whitelist this many applications and sites in my testing, that I'm going to have a lot of issues when I roll out inspection to the whole office or company.

My policy bypasses Financial Services and Health categories to try and limit any PII information we get. We also bypass Web Conferencing because I found that they weren't working right with HTTPS inspection enabled. Do you have any other categories or common sites/applications that you have found don't work well with HTTPS inspection?

Thanks for any help/suggestions/warnings!

Jake

[msjouw]

We are working with a couple of our customers with Websense to do HTTPS decryption and one of those customers is now moving to Check Point.
If you would know how many issues the customers have with Websense and HTTPS scanning, you would know what to expect, a huge number of sites that use client certificates don't work, financial sites exclude them.
Furthermore you will exclude (which is a default at the bottom of the HTTPS policy page) all product upgrade links.

[aweldon]

Since I posted the same exact thing awhile back I figured I would chime in. Transitioning from Cisco devices has been painful. Their product was mature and well developed. We ran full https inspection with very little issues. Categorization was usually dead on and if it was not their response time and explanations were very good.

At this point the joke is what are we actually inspecting. We have many exceptions and bypasses in place. Many of them like choosing to bypass financial services for example had unintended consequences of causing other https bypasses to break. Support on this seems to be lacking in knowledge. Is it a third party system? I know their URL categorization is done by a 3rd party and it is comical how bad many of the categorizations are. (cyren.com)

Overall I hope they make improvements. They are needed.

[ravasquez]

We have a bunch of clients using https inspection, some have problems with a little number of applications with secure sync most of all (all the storage on cloud services) today I work a lot in a problem with Google Earth (GE) when Safe Search is enable this makes GE to not work when searching, the maps works ok, I think that this product needs more feed back by us to checkpoint.