HTTPS traffic not accepted when third-party proxy is used

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk121432
Technical Level
Product	URL Filtering
Version	All
Platform / Model	All
Date Created	12-Nov-2017
Last Modified	25-Sep-2020

Symptoms

Matching HTTPS traffic to URL filtering rules is not working for most websites, even though the feature "Categorize HTTPS websites" is checked, when a third-party proxy is used
Websites that match on predefined Application Control applications like Wikipedia or Google are not affected.
"Use proxy settings" option is selected under Firewall object → Topology → Proxy → Use customer proxy settings for this network object.
Bypassing the proxy HTTPS traffic works as expected.
The firewall is able to access Check Point Cloud via the following curl command: curl_cli [--proxy IP_or_HostName:Port ] -v http://cws.checkpoint.com

Cause

The website presents a certificate which is validated with Online Certificate Status Protocol (OCSP). The third-party proxy is not forwarding the OSCP requests to the Internet and answering with HTTP "Bad Request".

If the certificate is not trusted, the gateway does not use the certificate's subject to match against URLs in the URL Filtering/Application Control rulebase.

Solution

Without the third-party proxy, the HTTP response is "200 OK", and the OCSP response is "Successful". The blocked websites are then accessible.

Follow these instructions:

1. Bypass the third-party proxy and make sure all OSCP requests are successful.

Note - Check Point Firewalls are security products, so do not block traffic generated by the firewall itself. The use of upstream proxies or any other third-party equipment can block and break firewall functionalities. Since every certificate vendor has its own OSCP, all traffic to the Internet from VS0 or the firewall itself (if not VSX) must be allowed.

This solution has been verified for the specific scenario, described by the combination of Product, Version and Symptoms. It may not work in other scenarios.

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating