Hi Tim, From my extensive research on Check Point, it does not have this kind of Web proxy capabilities. Maybe there's something hidden in the manauls, but from everything I could make out from spending a week doing a competitive analysis, CP's biggest weakness in lack of an effective Web proxy. I can double check this, but it made enough impression on me to stick. I'll send you something you might finding interesting offline. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: isapros-bounce@xxxxxxxxxxxxx > [mailto:isapros-bounce@xxxxxxxxxxxxx] On Behalf Of Thor > (Hammer of God) > Sent: Thursday, August 24, 2006 6:09 PM > To: isapros@xxxxxxxxxxxxx > Subject: [isapros] OT: Checkpoint HTTPS Termination > > > Pardon the OT, but I've got a customer using Checkpoint who > has retained me > to audit/oversee the deployment of a new application in the DMZ. > > Based on what I do all the time with ISA, the client and I > both assumed that > the Checkpoint box could do HTTPS termination in order to perform > protocol-level HTTP filtering. We also assumed that the > checkpoint box > could then forward HTTP to the DMZ for IDS/NetMon logging. > > It seems, however, that the Checkpoint firewall admin cannot confim > Checkpoint's capability to perform this function. Given all > the hubbub > about Checkpoint, its seems that it's odd that ISA can > perform a function so > well that Checkpoint does not even support. > > Can anyone out there confirm this? This could be a great > opportunity for me > to officially introduce ISA into the company (which I would > love) but I want > to make sure I'm doing the best job for the client before I > just spend the > money (or request that they spend the money) if this is something that > Checkpoint can do. > > The goal is to terminate HTTPS at the Checkpoint box, perform > app level > filtering (like ISA's HTTP filter), then forward the HTTP traffic to a > single segmented DMZ network so that the IDS/NetMon boxes can log the > traffic via the switch/Nokia monitor ports. > > Thanks. Oh, any specific references would be great so that I > can share them > with the client. > > t > > > > >