Print Download PDF Send Feedback

Previous

Next

Installation and Configuration

In This Section:

Configuring Full DLP Permissions

Configuring a Subset of Permissions

DLP Software Blade Trial License

Configuring Integrated Deployments

Configuring Dedicated Deployments

Rerunning the Data Loss Prevention Wizard

Configuring DLP for a Web Proxy

Configuring DLP for an Internal Web Proxy

Configuring the Mail Relay

Configuring a Dedicated DLP gateway and Relay on DMZ

Recommended Deployment - DLP Gateway with Mail Relay

Configuring Incident Log Handling

Configuring R80 SmartConsole for the Exchange Security Agent

HTTPS Inspection

Check Point Data Loss Prevention is a Software Blade. It needs connectivity to a Security Management Server and a R80 SmartConsole. A Check Point gateway or a DLP-1 appliance is necessary for DLP.

In a dedicated DLP gateway deployment, Check Point recommends that you have a protecting Security Gateway in front of the DLP gateway.

The environment must include a DNS.

Important - Before installing DLP, we recommend that you review the requirements and supported platforms for DLP in the R80 Release Notes.

Configuring Full DLP Permissions

To configure full permissions:

  1. In R80 SmartConsole, select Manage & Settings > Permissions & Administrators.
  2. Double-click the administrator account or click New create a new administrator user account.

    The Administrator Properties window opens, and shows the General page.

  3. In Permission Profile, click the drop-down menu and then click New.

    The Permissions Profile Properties window opens.

  4. In Enter Object Name, enter the name for the DLP admin profile.
  5. Make sure Read/Write All is selected.
  6. From the navigation tree, click Monitoring and Logging.
  7. Select these options:
    • DLP logs including confidential fields
    • View/Release/Discard DLP messages
  8. Click OK.
  9. Close the administrator window and publish the changes.

Configuring a Subset of Permissions

To configure a subset of permissions for the DLP administrator:

  1. In R80 SmartConsole, select Manage & Settings > Permissions & Administrators.
  2. Double-click the administrator account or click New create a new administrator user account.

    The Administrator Properties window opens, and shows the General page.

  3. In Permission Profile, click the drop-down menu and then click New.

    The Permissions Profile Properties window opens.

  4. In Enter Object Name, enter the name for the DLP admin profile.
  5. Select Customized and click Edit.
  6. From the navigation tree, click Access Control.
  7. In the Additional Policies section, configure Read or Write permissions for Data Loss Prevention.
  8. From the navigation tree, click Monitoring and Logging.
  9. Select one or more of these options:
    • DLP Logs including confidential fields - Permissions to view all fields of DLP logs in SmartView Tracker. When this check box is cleared, an administrator sees the text **** Confidential **** and not the actual content of fields defined as confidential.
    • View/Release/Discard DLP messages - Permissions to view emails and related incidents from within SmartView Tracker and SmartReporter. With this permission, administrators can also release (send) or discard quarantined emails from within SmartView Tracker.

      Note - If you select all of these options with Write permissions, the administrator has full DLP permissions.

  10. Click OK.
  11. Close the administrator window and publish the changes.

DLP Software Blade Trial License

The DLP Software Blade has a 30 day trial license.

To activate the trial license:

  1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. Select the DLP Software Blade.
  3. Click OK and install the policy.

Configuring Integrated Deployments

In an integrated deployment you can:

To enable DLP on an existing Security Gateway or cluster:

  1. Open R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway or Security Cluster object.

    The gateway window opens and shows the General Properties page.

  2. For a Security Cluster: in the ClusterXL page, select High Availability New mode or Load Sharing.

    You can use Load Sharing if the DLP rules use the Detect, Prevent, or Inform actions.

  3. In the Software Blades section, click the Data Loss Prevention Software Blade.

    Note - On a Security Cluster, this enables the DLP blade on every cluster member.

    The Data Loss Prevention Wizard opens.

  4. Complete the Data Loss Prevention Wizard.

Configuring Dedicated Deployments

These are the configuration options in a dedicated deployment environment:

To configure a dedicated DLP gateway on an existing Security Gateway or Security Cluster:

  1. Configure an existing Security Gateway or cluster as a DLP gateway or Security Cluster.
  2. Deselect the Firewall Software Blade, if it is selected.

    When you clear the Firewall Software Blade, a warning message shows.

    You are about to turn off the Firewall blade, with only the DLP blade left on.
    Therefore, this Security Gateway will not enforce the security policy.
    It is recommended to place this Security Gateway behind a firewall.
    Are you sure you want to continue?

  3. Click Yes.

To configure a dedicated DLP gateway or cluster on a locally managed DLP-1 appliance:

  1. Open R80 SmartConsole.

    For a locally managed gateway, the Data Loss Prevention Wizard opens.

    For a locally managed cluster, the DLP-1 Cluster Wizard opens.

  2. Complete the Data Loss Prevention Wizard or DLP-1 Cluster Wizard.

To configure a dedicated DLP gateway or cluster on a centrally managed DLP-1 appliance:

  1. Open R80 SmartConsole and log in to the Security Management Server that manages the DLP-1 appliance.
  2. Click Gateways & Servers and create a new gateway or cluster object.
    • For a DLP-1 Security Gateway, click New > Gateway
    • For a Security Cluster, click New > Cluster > Cluster.
  3. Complete the wizard.

Rerunning the Data Loss Prevention Wizard

If you run the DLP Wizard from a computer that is not part of the Active Directory domain, you can run it again from a computer in the Active Directory domain to create the LDAP account unit.

To run the Data Loss Prevention Wizard again:

  1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. Clear the Data Loss Prevention Software Blade.
  3. Select the Data Loss Prevention Software Blade.

    The Data Loss Prevention Wizard starts.

Configuring DLP for a Web Proxy

Use these procedures if the proxy or proxies are between the DLP gateway and the Internet, or in a DMZ. If a proxy is in a DMZ, we recommend that you use the DLP gateway to scan the HTTP traffic between the user network and the proxy in the DMZ.

Configuring an R75 or higher DLP Gateway for Web Proxies

If you have one Web proxy server between the DLP gateway and the Internet, use either Procedure 1 or Procedure 2.

If you have more than one proxy between the DLP gateway and the Internet, use Procedure 2.

If you configure both Procedure 1 and Procedure 2, the DLP gateway drops HTTP and HTTPS traffic sent to any web proxy that is not specified in Procedure 1.

To configure DLP for Procedure 1:

  1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Data Loss Prevention > Protocols.
  3. Make sure that HTTP is selected for this gateway or for the default protocols.
  4. From the navigation tree, click Network Management > Proxy.
  5. Configure the proxy server settings:
    • To use the proxy server that is configured in Global Properties, click Use default proxy settings.
    • To use a proxy server for this gateway:
    1. Click Use custom proxy settings for this network object.
    2. Click Use proxy server.
    3. Enter the IP address and Port of the Web proxy server.
  6. Click OK.
  7. Install the policy.

    DLP only scans traffic to the specified web proxy.

Procedure 2

  1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. From the navigation tree, click Data Loss Prevention > Protocols.
  3. Make sure that HTTP is selected for this gateway or for the default protocols.
  4. From the navigation tree, click Network Management > Proxy.
  5. Click Use custom proxy settings for this network object.
  6. Click Use proxy server.
  7. Enter the IP address and Port of the Web proxy server.
  8. Click OK.
  9. Install the policy.

Configuring a Pre-R75 DLP Gateway for a Web Proxy

For a pre-R75 DLP gateway, if you have one Web proxy between the DLP gateway and the Internet, use Procedure 1.

If you have more than one Web proxy, put the DLP gateway between the proxies and the Internet.

Configuring DLP for an Internal Web Proxy

If the DLP gateway is between the Web (HTTP) proxy server or servers and the Internet, use these procedures.

Configuring the DLP Gateway for an Internal Web Proxy

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    R80 SmartConsole opens and shows the DLP tab.

  2. From the navigation tree, click Additional Settings > Protocols.
  3. Click HTTP. Either for the gateway, or on the default protocols.
  4. Click OK.
  5. From the navigation tree, click My Organization.
  6. In the Networks section, if Select specific networks and hosts is selected, do these steps:
    1. Click Edit.
    2. In the Networks and Hosts window, make sure that the internal Web Proxy is listed. Or click Add, and select the objects for the internal Web Proxy.
    3. Click OK.
  7. Click Save and then close R80 SmartConsole.
  8. From R80 SmartConsole, install the policy.

Configuring the Mail Relay

You can use the Data Loss Prevention Wizard to configure the settings for the mail relay. Use these procedures to configure these settings without the Wizard.

To open the DLP tab in SmartDashboard:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    R80 SmartConsole opens and shows the DLP tab.

  2. From the navigation tree, click Additional Settings > Mail Server.

To configure the mail relay for anonymous SMTP connections:

  1. Click Send emails using this mail server.
  2. Select the mail server.

    If the mail server object does not exist, create it.

  3. Click OK.

To configure the mail server object for authenticated SMTP connections:

  1. Click Send emails using this mail server.
  2. Select a mail server from the list.
  3. If the mail server does not exist, create it.
  4. Click Mail Servers.
  5. Select the server from the list.
  6. Click Edit.

    The Mail Server window opens.

  7. Click Server Requires Authentication.
  8. Enter the authentication credentials: User Name and Password.

To complete configuring the Mail Relay:

  1. Click Save and then close SmartDashboard.
  2. From R80 SmartConsole, install the policy.
  3. On the mail server itself:

    Configure the mail relay to accept anonymous connections from the DLP gateway. For details, consult the vendor documentation. For example, on Microsoft Exchange Servers, configure the permissions of the default receive connector (or other relevant connector that handles SMTP traffic) for anonymous users.

Configuring a Dedicated DLP gateway and Relay on DMZ

To configure the DLP and mail relay in the DMZ:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    R80 SmartConsole opens and shows the DLP tab.

  2. From the navigation tree, click My Organization.
  3. In the Networks area, click Select specific networks and hosts and click Edit.

    The Networks and Hosts window opens.

  4. Click Add.
  5. If the Internal Mail Server is already defined as a Check Point network object, select it from the list.

    Otherwise, click New > Host.

  6. Enter the settings for the Internal Mail Server Host and then click OK.
  7. Click OK.
  8. Repeat steps to add other Internal Mail Servers.
  9. If users email clients are configured to work directly with the mail relay that is located in the DMZ using SMTP, add their networks.
  10. Select user networks from the list (or click New to define these networks) and then click OK.
  11. Click Save and then close R80 SmartConsole.
  12. From R80 SmartConsole, install the policy.

Recommended Deployment - DLP Gateway with Mail Relay

Item

Description

1

Internal mail server

2

Mail relay in the DMZ

Make sure that the DLP gateway does NOT scan emails as they pass from the mail relay to the target mail server in the Internet.

To deploy the internal mail relay behind a DMZ interface of the DLP gateway:

  1. In R80 SmartConsole, click Gateways & Servers and double-click the Security Gateway.

    The gateway window opens and shows the General Properties page.

  2. Make sure that mails from the internal mail server (e.g. Microsoft Exchange) (1) arrive at the gateway using an internal Gateway interface.
    1. From the navigation tree, click Network Management.
    2. Double-click the gateway interface that leads to the internal mail server.
    3. From the General page, click Modify.
    4. In the Leads To section, click Override > This Network (Internal) > Network defined by the interface IP and Net Mask.
    5. Click OK and close the interface window.
  3. Deploy the internal mail relay (2) behind a DMZ interface of the DLP gateway:

    In the Topology page of the DLP gateway object, define the gateway interface that leads to the Mail relay as Internal and also as Interface leads to DMZ.

  4. In the Networks section of the My Organization page:
    1. Select Anything behind the internal interfaces of my DLP gateways
    2. Do NOT select Anything behind interfaces which are marked as leading to the DMZ

To configure the internal mail relay that is not behind a DMZ interface of the DLP gateway:

Note - If the DLP gateway interface leading to the internal mail relay is internal, and you cannot deploy the internal mail relay behind a DMZ interface of the DLP gateway.

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click My Organization page.
  3. In the Networks section, click Select specific networks and hosts.
  4. Click Edit.
  5. Select the networks that include the internal mail server, but do NOT include the relay server.
  6. Click OK.
  7. Click Save and then close SmartDashboard.
  8. From R80 SmartConsole, install the policy.

Configuring Incident Log Handling

To configure disk management for DLP incidents:

  1. In R80 SmartConsole, click Gateways & Servers and double-click the log server or Security Management Server that manages the DLP logs.

    The server window opens and shows the General Properties page.

  2. From the navigation tree, click Logs > Storage.
  3. In When disk space is below MBytes, start deleting old log files, enter the minimum amount of free disk space on the server.

    This setting applies to DLP incidents and logs, and to all other logs. The default setting is 5000 MBytes. When the free disk space becomes less than this limit, old DLP incidents and logs, and other logs are deleted to free up disk space.

  4. Click OK and publish the changes.
  5. Open GuiDBedit:
    1. On the R80 SmartConsole computer, run
      C:\Program Files\CheckPoint\R80 SmartConsole\R80\PROGRAM\GuiDBedit.exe
    2. Log in with your R80 SmartConsole credentials.
  6. In the left pane, select Table > Network Objects > network_objects.
  7. In the right pane, select the Log server or Security Management Server that manages DLP logs.
  8. In the bottom pane, in the Field Name column, find log_policy.
  9. Configure these fields:

Field Name

Description

Default value

dlp_blob_delete_above_
value_percentage

The maximum % of disk space that incidents are allowed to occupy.

20%

dlp_blob_delete_on_above

Whether or not to delete incidents if the incidents take up more disk space than dlp_blob_delete_above_value_
percentage

  • true — Delete incidents. However, logs that are associated with the incidents are not deleted.
  • false —Do not delete incidents. Incidents are only deleted if free disk space becomes less than the Required Free Disk Space that is configured in R80 SmartConsole, in the Logs and Masters page of the Log server or Security Management Server that manages DLP logs.

false

dlp_blob_delete_on_run_
script

Whether or not to run a script before deleting incidents. For example, to copy the logs to a different computer before they are deleted.

  • true — Run the script that is defined in R80 SmartConsole, in the Log server or Security Management Server that manages DLP logs, in the Logs and Masters > Advanced page.
  • false — Do not run a script.

false

Configuring R80 SmartConsole for the Exchange Security Agent

To define the Exchange Security Agent:

  1. In R80 SmartConsole, select Security Policies > Shared Policies > DLP and click Open DLP Policy in SmartDashboard.

    SmartDashboard opens and shows the DLP tab.

  2. From the navigation tree, click Gateways.
  3. Click Actions > New Exchange Agent.

    The Check Point Exchange Agent wizard opens.

  4. Click Next. There are four pages in the wizard:
    • General
    • Trusted Communication
    • Inspection Scope
    • Configuration Summary
  5. After you complete the wizard, click Save and then close SmartDashboard.
  6. From R80 SmartConsole, install the policy.

HTTPS Inspection

You can enable HTTPS traffic inspection on Security Gateways to inspect traffic that is encrypted by the Secure Sockets Layer (SSL) protocol. SSL secures communication between internet browser clients and web servers. It supplies data privacy and integrity by encrypting the traffic, based on standard encryption ciphers.

However, SSL has a potential security gap. It can hide illegal user activity and malicious traffic from the content inspection of Security Gateways. One example of a threat is when an employee uses HTTPS (SSL based) to connect from the corporate network to internet web servers. Security Gateways without HTTPS Inspection are unaware of the content passed through the SSL encrypted tunnel. This makes the company vulnerable to security attacks and sensitive data leakage.

The SSL protocol is widely implemented in public resources that include: banking, web mail, user forums, and corporate web resources.

There are two types of HTTPS inspection:

The Security Gateway acts as an intermediary between the client computer and the secure web site. The Security Gateway behaves as the client with the server and as the server with the client using certificates.

To optimize performance, inbound HTTPS traffic is inspected only if the policy has rules for HTTPS. For example, if the IPS profile does not have HTTP/HTTPS-related protections activated, HTTPS Inspection is not started.

All data is kept private in HTTPS Inspection logs. This is controlled by administrator permissions. Only administrators with HTTPS Inspection permissions can see all the fields in a log. Without these permissions, some data is hidden.

Configuring Outbound HTTPS Inspection

To enable outbound HTTPS traffic inspection, you must do these steps:

Creating an Outbound CA Certificate

The outbound CA certificate is saved with a P12 file extension and uses a password to encrypt the private key of the file. The Security Gateways use this password to sign certificates for the sites accessed. You must keep the password as it also used by other Security Management Servers that import the CA certificate to decrypt the file.

After you create an outbound CA certificate, you must export it so it can be distributed to clients. If you do not deploy the generated outbound CA certificate on clients, users will receive SSL error messages in their browsers when connecting to HTTPS sites. You can configure a troubleshooting option that logs such connections.

After you create the outbound CA certificate, a certificate object named Outbound Certificate is created. Use this object in rules that inspect outbound HTTPS traffic in the HTTPS inspection Rule Base.

To create an outbound CA certificate:

  1. In R80 SmartConsole, go Manage & Settings > Blades > HTTPS Inspection > Configure In SmartDashboard.
  2. In SmartDashboard, right-click the Security Gateway object and select Edit.

    The Gateway Properties window opens.

  3. In the navigation tree, select HTTPS Inspection.
  4. In the HTTPS Inspection page, click Create.
  5. Enter the necessary information:
    • Issued by (DN) - Enter the domain name of your organization.
    • Private key password - Enter the password that is used to encrypt the private key of the CA certificate.
    • Retype private key password - Retype the password.
    • Valid from - Select the date range for which the CA certificate is valid.
  6. Click OK.
  7. Export and deploy the CA certificate.

Exporting and Deploying the Generated CA

To prevent users from getting warnings about the generated CA certificates that HTTPS inspection uses, install the generated CA certificate used by HTTPS inspection as a trusted CA. You can distribute the CA with different distribution mechanisms such as Windows GPO. This adds the generated CA to the trusted root certificates repository on client computers.

When users run standard updates, the generated CA will be in the CA list and they will not receive browser certificate warnings.

To distribute a certificate with a GPO:

  1. From the HTTPS Inspection window of the Security Gateway, click Export certificate.
  2. Save the CA certificate file.
  3. Use the Group Policy Management Console to add the certificate to the Trusted Root Certification Authorities certificate store.
  4. Push the Policy to the client computers in the organization.

    Note - Make sure that the CA certificate is pushed to the client computer organizational unit.

  5. Test the distribution by browsing to an HTTPS site from one of the clients and verifying that the CA certificate shows the name you entered for the CA certificate that you created in the Issued by field.

The HTTPS Inspection Policy

The HTTPS inspection policy determines which traffic is inspected. The primary component of the policy is the Rule Base. The rules use the categories defined in the Application Database, network objects and custom objects (if defined).

The HTTPS inspection Rule Base lets you inspect the traffic on other network blades. The blades that HTTPS inspection can operate on are based on the blade contracts and licenses in your organization and can include:

If you enable Identity Awareness on your Security Gateways, you can also use Access Role objects as the source in a rule. This lets you easily make rules for individuals or different groups of users.

To access the HTTPS Inspection Rule Base:

  1. In R80 SmartConsole, click Manage & Settings > Blades > HTTP Inspection > Configure in SmartDashboard.
  2. In SmartDashboard, click Policy.

Bypassing HTTPS Inspection for Software Update Services

Check Point dynamically updates a list of approved domain names of services from which content is always allowed. This option makes sure that Check Point updates or other 3rd party software updates are not blocked. For example, updates from Microsoft, Java, and Adobe.

To bypass HTTPS inspection for software updates:

  1. In R80 SmartConsole, go Manage & Settings > Blades > HTTPS Inspection > Configure In SmartDashboard.
  2. In SmartDashboard, click the HTTPS Inspection tab.
  3. Click Policy.
  4. In the Policy pane, select Bypass HTTPS Inspection of traffic to well known software update services (list is dynamically updated). This option is selected by default.
  5. Click list to see the list of approved domain names.

HTTPS Validation

Server Validation

When a Security Gateway receives an untrusted certificate from a web site server, the settings in this section define when to drop the connection.

Untrusted server certificate

When selected, traffic from a site with an untrusted server certificate is immediately dropped. The user gets an error page that states that the browser cannot display the webpage.

When cleared, a self-signed certificate shows on the client machine when there is traffic from an untrusted server. The user is notified that there is a problem with the website's security certificate, but lets the user continue to the website (default).

Revoked server certificate (validate CRL)

When selected, the Security Gateway validates that each server site certificate is not in the Certificate Revocation List (CRL) (default).

If the CRL cannot be reached, the certificate is considered trusted (this is the default configuration). An HTTPS Inspection log is issued that indicates that the CRL could not be reached. This setting can be changed with GuiDBedit. Select Other > SSL Inspection > general_confs_obj and change the attribute drop_if_crl_cannot_be_reached from false to true.

To validate the CRL, the Security Gateway must have access to the internet. For example, if a proxy server is used in the organizational environment, you must configure the proxy for the Security Gateway.

To configure the proxy:

  1. In R80 SmartConsole, from the Gateways & Servers view, double-click the Security Gateway that requires proxy configuration.
  2. Select Network Management > Proxy.
  3. Select Use custom proxy settings for this network object and Use proxy server and enter the proxy IP address.
  4. Optionally, you can use the default proxy settings.
  5. Click OK.

When cleared, the Security Gateway does not check for revocations of server site certificates.

Important - Make sure that there is a rule in the Rule Base that allows outgoing HTTP from the Security Gateway.

Expired server certificate

Track validation errors

Choose if the server validation traffic is logged in in the Logs tab of the R80 SmartConsole Logs & Monitor view or if it triggers other notifications. For the options, see Track.

Automatically retrieve intermediate CA certificates

HTTP/HTTPS Proxy

In R80 SmartConsole, in the Gateways & Servers view, or in SmartDashboard, in the HTTPS Inspection tab > Gateways pane, you can edit a Gateway object. In the HTTP/HTTPS Proxy page, you can configure a gateway to be an HTTP/HTTPS proxy. When it is a proxy, the gateway becomes an intermediary between two hosts that communicate with each other. It does not allow a direct connection between the two hosts.

Each successful connection creates two different connections:

Proxy Modes

Two proxy modes are supported:

Access Control

You can configure one of these options for forwarding HTTP requests:

Ports

By default, traffic is forwarded only on port 8080. You can add or edit ports as required.

Advanced

By default, the HTTP header contains the Via proxy related header. You can remove this header with the Advanced option.

You can also use the Advanced option to configure the X-Forward-For header that contains the IP address of the client machine. It is not added by default because it reveals the internal client IP.

Logging

The Security Gateway opens two connections, but only the Firewall blade can log both connections. Other blades show only the connection between the client and the gateway. The Destination field of the log only shows the gateway and not the actual destination server. The Resource field shows the actual destination.

To configure a Security Gateway to be an HTTP/HTTPS proxy:

  1. From the General Properties window of a Security Gateway object, select HTTP/HTTPS Proxy from the tree.
  2. Select Use this gateway as a HTTP/HTTPS Proxy.
  3. Select the Transparent or Non Transparent proxy mode.

    Note - If you select Non Transparent mode, make sure to configure the clients to work with the proxy.

  4. Select to forward HTTP requests from one of these options:
    • All Internal Interfaces
    • Specific Interfaces - Click the plus sign to add specified interfaces or the minus sign to remove an interface.
  5. To enter more ports on which to forward traffic, select Add.
  6. To include the actual source IP address in the HTTP header, select Advanced > X-Forward-For header (original client source IP address).

    The X-Forward-For header must be configured if traffic will be forwarded to Identity Awareness Security Gateways that require this information for user identification.

  7. Click OK.

HTTPS Inspection Logs

Logs from HTTPS Inspection are shown in the Logs & Monitor > Logs tab. Under Favorites, there is a predefined query for HTTPS Inspection logs. It shows all HTTPS traffic that matched the HTTPS Inspection policy and was configured to be logged.

The log includes an HTTP Inspection Action field. The field value can be inspect or bypass. If the traffic did not go through HTTPS inspection, the field does not show in the log.

Permissions for HTTPS Logs

An administrator must have HTTPS inspection permissions to see classified data in HTTPS inspected traffic.

To set permissions for an administrator in a new profile:

  1. In R80 SmartConsole, select Manage & Settings > Permissions and Administrators > Administrator.
  2. Double-click an administrator to edit it.
  3. In the General page in the Permissions Profile field, select the permission profile and click New.
  4. In the New Profile window:
    • Enter a Name for the profile.
    • Select Customized.
  5. In the Monitoring and Logging page, select HTTPS Inspection logs for permission to see the classified information in the HTTPS Inspection logs.
  6. Click OK on all of the open windows.

To edit an existing permissions profile:

  1. In R80 SmartConsole, select Manage & Settings > Permissions and Administrators > Permission Profiles.
  2. Double-click a profile to edit it.
  3. In the Monitoring and Logging page, select HTTPS Inspection logs for permission to see the classified information in the HTTPS Inspection logs.
  4. Click OK on all of the open windows.
31 March 2016 © 2016 Check Point Software Technologies Ltd. All rights reserved.