Support Center > Search Results > SecureKnowledge Details
HTTPS traffic not accepted when third-party proxy is used Technical Level
  • Matching HTTPS traffic to URL filtering rules is not working for most websites, even though the feature "Categorize HTTPS websites" is checked, when a third-party proxy is used
  • Websites that match on predefined Application Control applications like Wikipedia or Google are not affected.
  • "Use proxy settings" option is selected under Firewall object → Topology → Proxy → Use customer proxy settings for this network object.
  • Bypassing the proxy HTTPS traffic works as expected.
  • The firewall is able to access Check Point Cloud via the following curl command: curl_cli [--proxy IP_or_HostName:Port ] -v

The website presents a certificate which is validated with Online Certificate Status Protocol (OCSP). The third-party proxy is not forwarding the OSCP requests to the Internet and answering with HTTP "Bad Request".

If the certificate is not trusted, the gateway does not use the certificate's subject to match against URLs in the URL Filtering/Application Control rulebase.


Without the third-party proxy, the HTTP response is "200 OK", and the OCSP response is "Successful". The blocked websites are then accessible.

Follow these instructions:

1. Bypass the third-party proxy and make sure all OSCP requests are successful.

Note - Check Point Firewalls are security products, so do not block traffic generated by the firewall itself. The use of upstream proxies or any other third-party equipment can block and break firewall functionalities. Since every certificate vendor has its own OSCP, all traffic to the Internet from VS0 or the firewall itself (if not VSX) must be allowed.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback
Please rate this document