You can use a Web Proxy server or servers for HTTP and HTTPS traffic. If you want the DLP gateway to scan this traffic, you must configure the DLP gateway.
Note - You can enable HTTPS Inspection on the gateway to scan HTTPS connections.
Use these procedures if the proxy or proxies are between the DLP gateway and the Internet, or in a DMZ.
Best Practice - If a proxy is in a DMZ, use the DLP gateway to scan the HTTP traffic between the user network and the proxy in the DMZ.
Configuring an R75 or higher DLP Gateway for Web Proxies
If you have one Web proxy server between the DLP gateway and the Internet, use either Procedure 1 or Procedure 2.
If you have more than one proxy between the DLP gateway and the Internet, use Procedure 2.
If you configure both Procedure 1 and Procedure 2, the DLP gateway drops HTTP and HTTPS traffic sent to any web proxy that is not specified in Procedure 1.
Procedure 1
The gateway window opens and shows the General Properties page.
DLP only scans traffic to the specified web proxy.
Procedure 2
The gateway window opens and shows the General Properties page.
Configuring a Pre-R75 DLP Gateway for a Web Proxy
For a pre-R75 DLP gateway, if you have one Web proxy between the DLP gateway and the Internet, use Procedure 1.
If you have more than one Web proxy, put the DLP gateway between the proxies and the Internet.
If the DLP gateway is between the Web (HTTP) proxy server or servers and the Internet, use these procedures.
Configuring the DLP Gateway for an Internal Web Proxy
SmartConsole opens and shows the DLP tab.
For a Security Management server that is upgraded from R70 and lower, traffic that passes through a DLP gateway to a web proxy server contains the gateway's IP as the source address instead of the original client IP address. For new installations and for installations that were upgraded from R71, the original client IP address is used.
If the traffic that contains the gateway's IP as source address reaches another Security Gateway which either logs traffic or enforces access based on identity, the source IP address does not represent the user's IP address.
To use the client's IP address as source address for the traffic leaving the DLP gateway:
C:\Program Files\CheckPoint\SmartConsole\R80.30\PROGRAM\GuiDBedit.exe
http_unfold_proxy_conns
attribute to true
.