The website presents a certificate which is validated with Online Certificate Status Protocol (OCSP). The third-party proxy is not forwarding the OSCP requests to the Internet and answering with HTTP "Bad Request".
If the certificate is not trusted, the gateway does not use the certificate's subject to match against URLs in the URL Filtering/Application Control rulebase.
Without the third-party proxy, the HTTP response is "200 OK", and the OCSP response is "Successful". The blocked websites are then accessible.
Follow these instructions:
1. Bypass the third-party proxy and make sure all OSCP requests are successful.
Note - Check Point Firewalls are security products, so do not block traffic generated by the firewall itself. The use of upstream proxies or any other third-party equipment can block and break firewall functionalities. Since every certificate vendor has its own OSCP, all traffic to the Internet from VS0 or the firewall itself (if not VSX) must be allowed.
This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.