topic Re: Apple and HTTPS Inspection in Firewall and Security Management

Apple and HTTPS Inspection

nooni — Fri, 24 Mar 2023 10:14:27 GMT

Hi,

I am about to implement HTTPS Inspection but there are some issues with Mac's and software updates.

Current HTTPS Inspect rules bypass 17.0.0.0/8 and itunes.apple.com but still there are some issues.

Are there any plans for an Updatable Apple object or anyone else that has run into this issue that has found a solution ?

Re: Apple and HTTPS Inspection

the_rock — Fri, 24 Mar 2023 10:24:34 GMT

Ah, I remember my struggles on this subject with a customer couple of years back who is 95% Apple shop.

What we ended up doing was whitelist followimg:

*apple*
*itunes*

and bunch of Apple IP ranges

Sadly, I wish there were appropriate updatable objects there. Now in all fairness, all other major fw vendors dont have those updatable objects either when it comes to Apple : - (

Re: Apple and HTTPS Inspection

nooni — Fri, 24 Mar 2023 10:34:09 GMT

Thanks, will try that and i hope that someone from Check Point can update us on plans for an Updatable object 🙂

Re: Apple and HTTPS Inspection

G_W_Albrecht — Fri, 24 Mar 2023 10:53:33 GMT

Did you try to use the HTTPS services recommended bypass Updateable object and Apple Smart Accel Updateable object for exception?

Re: Apple and HTTPS Inspection

nooni — Fri, 24 Mar 2023 10:57:59 GMT

Yes Https inspect bypass both updatable objects is used to bypass.

Could not find any Apple related category in Updatable objects list ?

Re: Apple and HTTPS Inspection

the_rock — Fri, 24 Mar 2023 11:24:08 GMT

I dont think you would find it, as it simply does not exist : - (. Anyway, I gotta get ready to drive to test center to give my CCTE exam, but when I come back, will fire up my https inspection lab in R81.20 and verify all this.

Cheers mate.

Andy

Re: Apple and HTTPS Inspection

nooni — Fri, 24 Mar 2023 11:29:20 GMT

Thanks, it was a response to GW Albrecht 🙂

Good luck on your exam!

Re: Apple and HTTPS Inspection

the_rock — Fri, 24 Mar 2023 11:40:30 GMT

Tx mate! Yea, I know it was response to our good man Guenther :). Anyway, will check when Im back, hopefully around 11 am EST.

Andy

Re: Apple and HTTPS Inspection

G_W_Albrecht — Fri, 24 Mar 2023 13:01:45 GMT

Re: Apple and HTTPS Inspection

Sorin_Gogean — Fri, 24 Mar 2023 13:04:15 GMT

Hello @nooni ,

Can you be more explicit on what are the HTTPS Inspection issues you're facing - more exactly with examples/screenshots ?

We've looked into this as we are running an POC to implement apple cache servers, therefore we had to make sure that Apple traffic via CheckPoints were not inspected (certificate substituted).

FWL policies looks like:

For the HTTPS Inspection, we're bypassing "apple.com" CustomApp object and "c.apple.news" .

Those objects contains:

apple.com	c.apple.news
.aplle.com .apple.com .icloud.com .icloud.com appleid.cdn-apple.com .cdn-apple.com @*.cdn-apple.com	c.apple.news .apple.news *.apple.news

So with that, we were able to see that the Apple cache machine, was able to register the Apple Cloud cache services, and download packages.

Ty,

Re: Apple and HTTPS Inspection

G_W_Albrecht — Fri, 24 Mar 2023 13:05:50 GMT

It does exist at least since R81.20 / R81.10.00. Please do not state that something simply does not exist if the only reason for the statement is your ignorance ! No harm in telling: I never heard of, i never saw that, i do not believe it exists. But not: Does not exist...

Re: Apple and HTTPS Inspection

the_rock — Fri, 24 Mar 2023 14:59:45 GMT

Thats right, I see exact same thing you posted, which does literally nothing lol. I was on the call once with TAC escalations guy and customer and that was pretty much only thing he could find as well. So, factually, okay, I will give it to you, it DOES exist, but its useless 😂

Andy

Re: Apple and HTTPS Inspection

PhoneBoy — Fri, 24 Mar 2023 20:22:02 GMT

For us to have an Updatable Object, the vendor has to provide the IP ranges in a machine consumable format.
Without that, it’s impossible for us to accurately determine what IP ranges vendors use for what.

Re: Apple and HTTPS Inspection

nooni — Mon, 27 Mar 2023 06:36:10 GMT

Thank you for sharing this solution 🙂

Re: Apple and HTTPS Inspection

the_rock — Mon, 27 Mar 2023 11:51:40 GMT

Thanks for sharing @Sorin_Gogean , always great advice! 💪👍

Andy

Re: Apple and HTTPS Inspection

HendrikS — Mon, 05 Aug 2024 10:44:57 GMT

Hello there,

Can you show us what is included in your apple software updates object?

We have a simular issue that ipads can no longer recieve updates when inspection is on. however we would like to limit what we exactly open.

Re: Apple and HTTPS Inspection

the_rock — Mon, 05 Aug 2024 14:11:19 GMT

Me, personally, I just do *apple* and call it a day lol

Andy