topic Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison) in Firewall and Security Management

Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

Maik — Thu, 14 Jan 2021 14:56:35 GMT

Hello guys,

I was wondering whether it is possible to have custom applications or url filtering objects in order to achieve reachability of the apple & microsoft software update servers?

The official applications "Apple Software Update" and "Windows Update" seem to only work with an existing HTTPS Inspection setup. As url filtering and application control (some applications) can be done with pattern matching against the SNI / CN of the certificate I was wondering whether this can be done for the mentioned update servers. Unfortunately I am not aware of the setup of apples or microsofts update servers and whether SNI / CN comparison can be used in such a case.

Maybe someone already ran into the same issue or heard of a possible solution.

Thanks and best regards,

Maik

[Edit: As always I forgot some details... the question is related to R80.20 Take 118 - VSX + MDM setup]

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

PhoneBoy — Fri, 15 Jan 2021 05:04:59 GMT

For the SNI verification stuff to work properly, you may need to enable HTTPS Inspection with an any any bypass rule.
Not sure if they fixed that in that R80.20 JHF or a future one.
They did in R80.40.

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

Maik — Fri, 15 Jan 2021 12:02:48 GMT

Seems like it is supported since R80.20 Jumbo HotFix - Ongoing Take 117 (13 October 2019), at least related to the Jumbo Patch notes. Is there some kind of list which application control "objects" can be used with this feature but HTTPS inspection disabled (or set to bypass all)?

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

Maik — Mon, 18 Jan 2021 09:46:39 GMT

**ping**

Would also appreciate feedback in any way, like for example that this approach does not make much sense and why (in regards to the mentioned objects/update servers).

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

Mraybone — Wed, 09 Mar 2022 12:01:38 GMT

Yes, some guidance on how this is possible, or even if it is at all, would be nice. My goal is to allow all servers access to a list of supplied windows update URLs (not IP ranges, as that information is not available).

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

Chris_Atkinson — Wed, 09 Mar 2022 14:51:00 GMT

The most recent enhancement I'm aware of in this regard is outlined in sk163595.

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

Mraybone — Wed, 09 Mar 2022 15:18:57 GMT

Thanks for the reply, unfortunately I only have the firewall blade available to me.

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

PhoneBoy — Wed, 09 Mar 2022 22:01:45 GMT

With only Firewall blade available, there isn't much you can do.
Your only option is by IP address as even looking at URLs or SNI requires App Control.

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

Mraybone — Thu, 10 Mar 2022 08:28:41 GMT

I was afraid of that, thanks for the info.

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

Mraybone — Fri, 11 Mar 2022 09:19:37 GMT

We have got the application control blade installed now, but the rule for Windows Update doesn't seem to be doing much. Any tips?

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

G_W_Albrecht — Fri, 11 Mar 2022 14:45:10 GMT

See sk163595: Check Point Solution for R80.40 and above We collected a list of HTTPS services that are known to be used in pinned scenarios. These HTTPS services are part of the "HTTPS services - bypass" updatable object.

In previous versions, users can only use the “Bypass HTTPS inspection of all traffic to all known software update services” checkbox.

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

Mraybone — Fri, 11 Mar 2022 15:06:08 GMT

Ok thanks, this is interesting - we have R80.40, but I can't find the "HTTPS services - bypass" object...

I have actually narrowed this down to the fact that it is only HTTPS that isn't working, so I'm almost there! 🙂

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

Mraybone — Fri, 11 Mar 2022 16:06:22 GMT

I found the object, I can even see things in the logs being successfully bypassed but windows updates still won't work

Re: Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

G_W_Albrecht — Fri, 11 Mar 2022 16:17:23 GMT

Click the '+' button under the Source/Destination column, choose import 'Updatable Objects', and then you can choose the relevant"HTTPS services - bypass" - see sk131852 !