SSL Inspection Policy

SSL Inspection

The Access Policy view > SSL Inspection section > Policy page lets you enable and configure SSL inspection. When you turn on this setting, you allow different Software Blades that support SSL inspection to inspect traffic that is encrypted by the Secure Sockets Layer (SSL) protocol. To allow the gateway to inspect the secured connections, all hosts behind the gateway must install the gateway CA certificate.

Software Blades that support SSL traffic inspection:

Application & URL Filtering Check Point Software Blade on a Security Gateway that allows granular control over which web sites can be accessed by a given group of users, computers or networks. Acronym: URLF.
IPS
Anti-Virus Check Point Software Blade on a Security Gateway that uses real-time virus signatures and anomaly-based protections from ThreatCloud to detect and block malware at the Security Gateway before users are affected. Acronym: AV.
Anti-Bot Check Point Software Blade on a Security Gateway that blocks botnet behavior and communication to Command and Control (C&C) centers. Acronyms: AB, ABOT.
Threat Emulation Check Point Software Blade on a Security Gateway that monitors the behavior of files in a sandbox to determine whether or not they are malicious. Acronym: TE.

Important - You cannot use Smart Accel and SSL Inspection at the same time.

Deploying SSL Inspection

To deploy SSL inspection:

Select SSL Traffic Inspection.

Click Download CA Certificate to download the gateway's internal CA certificate.

Note - The certificate is available for all users on the gateway. You do not need administrator credentials. If you do not have administrator credentials, connect from an internal or wireless network to http://my.firewall/ica or https://<IP_Address_of_Appliance>/ica.

You must install this certificate on every client behind the gateway.

To install the certificate:

Manually copy the certificate file to your PC.

In the Windows PC, click the file and follow the wizard instructions to add the certificate to the Trusted Root Certification Authorities repository.

Note - This is not the default repository in the Certificate Import Wizard.

Certificate installation varies according to the OS. To learn how to install the certificate in your machine, see your OS vendor instructions.

SSL inspection uses the existing internal CA by default. To use your own certificate, you must replace the internal CA.

To replace the internal CA:

Go to Certificates > Internal Certificate.
Click Replace Internal CA.

The Upload a P12 Certificate window opens.
Click Browse to select the certificate file.
Enter the Certificate name and Password.
Normally, the device suggests its own host name (when DDNS is configured) or its external IP address. If you have multiple Internet connections configured, in load sharing mode, you can manually enter an accessible IP address for this appliance. This is used by remote sites to access the internal CA and check for certificate revocation.
Click Apply

SSL Inspection Bypass Policy

You can select categories that are bypassed for all possible traffic regardless of its source and destination. To configure more advanced exceptions, go to the SSL Inspection Exceptions page.

To configure the SSL inspection bypass policy:

In the section Protocols to inspect - Select to inspect HTTPS, IMAPS, or POP3S protocols.
In the section Assets to Inspect - Select to inspect devices by type: Desktop, Laptop, Computer (R81.10.05 and higher), Other assets, and All assets. Devices are inspected only if they were not bypassed by other settings.

In the section Wireless networks to bypass - Select or clear which wireless networks to bypass. Untrusted networks are selected by default.

Note - Wireless networks must be assigned to Separate Network, not switch or bridge.

In the section Bypass SSL inspection for the following categories > Categories - Categories include Health, Government/Military, Financial services, and Well known update services. Select or clear the privacy related categories that are not inspected. All categories except for Media Streams are selected by default.
In the section Bypass SSL inspection for the following categories > Assets to bypass - Select the MacOS checkbox to bypass macOS devices. This accelerates the connection.
- Bypass by MAC - Click to select devices from the Active Devices table by their MAC addresses.
- Bypass by IP - Click to configure exceptions to bypass SSL inspection policy for specific IP addresses on the SSL Inspection Exceptions table.

In the section Tracking - Select to enable logs to see the SSL inspection policy decision ("Inspect" or "Bypass").

Note - The SSL Inspection generates these logs in addition to the Software Blades logs.

To add other categories:

Note - The Bypass checkbox is selected by default.

Click other categories and sites.

The SSL Inspection Bypass Other window opens.
Select the desired items.
Optional - Click New to add URLs or custom applications.
Click Apply

HTTPS Categorization

As an alternative to SSL inspection, you can enable HTTPS categorization.

HTTPS categorization allows filtering specified HTTPS URLs and applications without activating SSL traffic inspection.

For more information, see the HTTPS Inspection video on the Small Business Security video channel.

To enable HTTPS categorization:

Select HTTPS Categorization.

Note - When you enable HTTPS categorization, the SSL options are not available.

Click Configure.

The Access Policy > Firewall Blade Control page opens.

Configure the settings for URL Filtering.

Note - HTTPS categorization only applies when the URL Filtering blade is turned on.

To disable SSL inspection and HTTPS categorization:

Select Off.

Upgrades in the SSL Bypass mechanism include:

Stop the inspection of the first connection to bypassed sites.
Allow bypass of Non-Browser Applications connections.
Allow Bypass of connections to servers that require client certificate.
New probing mechanism eliminates the need to inspect the first connection to an IP address unless it is required by the policy.

IMAPS

Internet Message Access Protocol (IMAP) is an Internet standard protocol used by email clients to retrieve email messages from a mail server over a TCP/IP connection. IMAPS refers to IMAP over SSL.

SSL traffic inspection must be activated to scan HTTP and IMAP encrypted traffic.

Bypass Under Load

Bypass Under Load, available starting in R82.00.00, maintains connectivity when the Gateway experiences heavy CPI load. The Gateway responds quickly to CPU spikes to prevent connection interruptions by temporarily bypassing SSL Inspection until the load stabilizes. During the period, the Gateway does not intercept the HTTPS traffic. When the Gateway stabilizes, it attempts to resume SSL Inspection to minimize the bypass duration. If high load persists after inspection resumes, the Gateway gradually increases the bypass duration to maintain system stability.

To configure Bypass Under Load:

Navigate to Access Policies > SSL Inspection > Policy.

Select the box for Bypass under load. When this box is checked, the system automatically bypasses SSL Inspection when it is under high CPU load.

Note - You configure Bypass Under Load for each Gateway separately.

Fail Mode Mechanisms

Fail Mode Mechanisms allows you to configure client-side and server-side fail modes to define Gateway behavior when connection errors occur.

To configure Fail Mode Mechanisms:

Navigate to Access Policies > SSL Inspection > Policy.
Configure the following options:
- Server side – select an action to take on server-side errors (internal errors or overload):
  - Allow all requests
  - Block all requests
- Client side – select an action to take on client-side errors (internal errors or overload):
  - Allow all requests
  - Block all requests