topic Re: HTTPS inspection and Netflix in Firewall and Security Management

HTTPS inspection and Netflix

Josh_Wilson — Fri, 08 Sep 2017 13:17:44 GMT

I am having difficulty preventing/blocking access to Netflix services. It appears that the HTTPS inspection blade does not try to or cannot properly inspect the HTTPS traffic to https://www.netflix.com and I am looking for some insight on how to resolve this or if it is possible.

I did come across this article explaining how Netflix has advanced their efforts in deploying TLS and suggests something proprietary has been done. Could this be related?

It wasn’t easy, but Netflix will soon use HTTPS to secure video streams | Ars Technica

Has anyone else already struggled with this?

Re: HTTPS inspection and Netflix

Danny — Fri, 08 Sep 2017 19:53:34 GMT

sk114419 describes what to do.

Create network objects to represent ranges or networks on IP addresses used by "Netflix" clients.
Configure the above network objects in the HTTPS Inspection Bypass rule.
Install the policy.

Re: HTTPS inspection and Netflix

Josh_Wilson — Fri, 08 Sep 2017 20:08:58 GMT

I appreciate the response but wouldn't that SK provide an alternative method to bypassing HTTPS inspection? I actually want to be able to inspect the traffic properly so that I can accurately "block" access using the application layer.

Re: HTTPS inspection and Netflix

PhoneBoy — Fri, 08 Sep 2017 21:26:33 GMT

If Netflix uses Certificate Pinning in it's HTTPS Implementation, you cannot do HTTPS Inspection on that traffic without breaking Netflix.

In which case, the only solution is to disable inspection for those destination IPs listed in the link https://community.checkpoint.com/people/dantr917b8439-9d5c-34f0-b86a-f0e1b0a14cbd provided.

Re: HTTPS inspection and Netflix

Josh_Wilson — Fri, 08 Sep 2017 22:20:32 GMT

I think I understand. But without inspection, Netflix will pass through without any enforcement, correct?

Re: HTTPS inspection and Netflix

PhoneBoy — Fri, 08 Sep 2017 22:33:44 GMT

You will still have enforcement as it should be possible to tell it's Netflix traffic without doing HTTPS Inspection.

Re: HTTPS inspection and Netflix

Eric_Oakeson — Wed, 22 Nov 2017 18:01:32 GMT

I think I just found a fix for this one, you need to install the Symantec intermediate cert in to the HTTPS Inspection Trust CAs area. Once I did that, I stopped getting rejected for Netflix.

Here is Netflix getting rejected:

Even though I told it to allow untrusted certificates in the HTTPS Validation configurations:

I looked through the certificate chain for https://www.netflix.com and there was this Intermediate cert in there:

I went to Symantec and found that certificate (Symantec SSL Certificates Support ) and installed it as a Trusted CA in HTTPS Inspection:

Once I did that, I was no longer getting rejected and this should also allow proper enforcement of Netflix as well. On a block rule I was also able to get the UserCheck page to appear, so HTTPS inspection is working properly now.

Re: HTTPS inspection and Netflix

PhoneBoy — Wed, 22 Nov 2017 18:05:08 GMT

Great tip, thanks for sharing this with the community.

Re: HTTPS inspection and Netflix

Eric_Oakeson — Wed, 29 Nov 2017 00:31:15 GMT

Update from further testing, this works on Windows, Mac, and Android devices. Still seeing issues with Apple iOS devices as they use a different URL (ios.nccp.netflix.com) which seems to have cert issues of its own, so still be aware of that one. I haven't been able to get that working yet.