Pardon the OT, but I've got a customer using Checkpoint who has retained me to audit/oversee the deployment of a new application in the DMZ. Based on what I do all the time with ISA, the client and I both assumed that the Checkpoint box could do HTTPS termination in order to perform protocol-level HTTP filtering. We also assumed that the checkpoint box could then forward HTTP to the DMZ for IDS/NetMon logging. It seems, however, that the Checkpoint firewall admin cannot confim Checkpoint's capability to perform this function. Given all the hubbub about Checkpoint, its seems that it's odd that ISA can perform a function so well that Checkpoint does not even support. Can anyone out there confirm this? This could be a great opportunity for me to officially introduce ISA into the company (which I would love) but I want to make sure I'm doing the best job for the client before I just spend the money (or request that they spend the money) if this is something that Checkpoint can do. The goal is to terminate HTTPS at the Checkpoint box, perform app level filtering (like ISA's HTTP filter), then forward the HTTP traffic to a single segmented DMZ network so that the IDS/NetMon boxes can log the traffic via the switch/Nokia monitor ports. Thanks. Oh, any specific references would be great so that I can share them with the client. t