https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Bypass-GooglePlay/m-p/66891#M12278 <P>We have scanguns that are having trouble getting to the GooglePlay store. It appears based on errors that GooglePlay does not use the Android Certificate store to use our https inspection certificate.</P><P>I have opened up the clients to bypass the following URL's but am still having issues:</P><P>*.google.com</P><P>google.com</P><P>*.googleapis.com</P><P>googleapis.com</P><P>&nbsp;</P><P>I don't see other google entries in the inspection and according to the logs the clients are getting bypassed, but it hasn't been until I bypass all https inspection for the specific client that it is fully able to connect to the GooglePlay store, register, and download files.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 08 Nov 2019 16:51:54 GMT Wyatt_Felger 2019-11-08T16:51:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Bypass-GooglePlay/m-p/66891#M12278 <P>We have scanguns that are having trouble getting to the GooglePlay store. It appears based on errors that GooglePlay does not use the Android Certificate store to use our https inspection certificate.</P><P>I have opened up the clients to bypass the following URL's but am still having issues:</P><P>*.google.com</P><P>google.com</P><P>*.googleapis.com</P><P>googleapis.com</P><P>&nbsp;</P><P>I don't see other google entries in the inspection and according to the logs the clients are getting bypassed, but it hasn't been until I bypass all https inspection for the specific client that it is fully able to connect to the GooglePlay store, register, and download files.</P><P>&nbsp;</P><P>&nbsp;</P> Fri, 08 Nov 2019 16:51:54 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Bypass-GooglePlay/m-p/66891#M12278 Wyatt_Felger 2019-11-08T16:51:54Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Bypass-GooglePlay/m-p/66899#M12279 What version of code?<BR />If you’re not in R80.30 or R80.20 JHF 117+, I strongly encourage upgrading.<BR />The added support for SNI should help with this. Fri, 08 Nov 2019 17:24:42 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Bypass-GooglePlay/m-p/66899#M12279 PhoneBoy 2019-11-08T17:24:42Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Bypass-GooglePlay/m-p/66901#M12280 <P>R77.30&nbsp;<span class="lia-unicode-emoji" title=":zipper_mouth_face:">🤐</span> - We are working to move to R80, but not there yet.</P><P>&nbsp;</P> Fri, 08 Nov 2019 17:37:26 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Bypass-GooglePlay/m-p/66901#M12280 Wyatt_Felger 2019-11-08T17:37:26Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Bypass-GooglePlay/m-p/66958#M12281 You should check the non-Google HTTPS entries as they may provide a clue at other things you may need to set bypass rules for. Sat, 09 Nov 2019 10:44:55 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Bypass-GooglePlay/m-p/66958#M12281 PhoneBoy 2019-11-09T10:44:55Z https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Bypass-GooglePlay/m-p/66965#M12282 <P>Most google apps have SSL Pinning. In other words they will not work if a non google certificate is presented. The following solution applies to R77.30 and R80.10. R80.20 an .30 have new SSL inspection engines and don't use these flags anymore.</P><P>When you perform SSL Inspection, even if you set it to bypass the engine stills checks the Client Hello of the SSL Handshake, this is enough to break some applications.</P><P>Together with your exceptions I suggest you to set up Enhaced SSL Bypass (Probe bypass detailed on <A href="https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&amp;solutionid=sk104717#Improvements%20in%20HTTPS%20Inspection%20Bypass%20mechanism" target="_self">sk104717</A>&nbsp;) default is off and you can set it on the fly:</P><P>on: fw ctl set int enhanced_ssl_inspection 1<BR />off: fw ctl set int enhanced_ssl_inspection 0</P><P>For more information reffer to the provided SK, keep in mind that you may have some compatibility issues with sites using SNI.</P><P>If you still have issues I would suggest you to not inspect at all the mobile devices LAN. Don't use a bypass action, just be sure to not include the prefix on your SSL Policy.</P><P>You can find more information in my other post about SSL Inspection:&nbsp;<A href="https://community.checkpoint.com/t5/General-Topics/Outbound-SSL-Inspection-A-war-story/m-p/58647" target="_self">https://community.checkpoint.com/t5/General-Topics/Outbound-SSL-Inspection-A-war-story/m-p/58647</A></P><P>Let us know how it goes&nbsp;</P><P>___</P> Sat, 09 Nov 2019 12:24:25 GMT https://community.checkpoint.com/t5/Firewall-and-Security-Management/HTTPS-Inspection-Bypass-GooglePlay/m-p/66965#M12282 FedericoMeiners 2019-11-09T12:24:25Z