topic Re: Https inspection bypass for application (whatsapp). in Firewall and Security Management

Https inspection bypass for application (whatsapp).

Yuli — Wed, 12 Mar 2025 09:16:13 GMT

Hi,

I want give https exclusion for whatsapp but as you know we can not do for application. Therefore I added a bypass rule for instant messaging category. But there is no only whatsapp in this cetgory, there are about 300 messaging tool under this category. How can we add only whatsapp for bypass rule.

Thanks.

Re: Https inspection bypass for application (whatsapp).

Tal_Paz-Fridman — Wed, 12 Mar 2025 09:31:10 GMT

Consider using a Custom Application with URL.

https://knowledge.broadcom.com/external/article/172362/block-whatsapp-application-on-browser.html

You are allowed to add it to HTTPS Inspection Rule

ChatGPT has additional domains:

web.whatsapp.com
api.whatsapp.com
wa.me
cdn.whatsapp.net
static.whatsapp.net
mmg.whatsapp.net
graph.whatsapp.net
e1.whatsapp.net
f.whatsapp.net
s.whatsapp.net

Re: Https inspection bypass for application (whatsapp).

Yuli — Wed, 12 Mar 2025 10:44:43 GMT

Thanks but this is not whatsapp web. This is whatsapp application that installed on windows as win32 application. By the way there is no problem about messaging, the problem is when we try to download any sended picture or file we can not download. I did not see any related logs.

Re: Https inspection bypass for application (whatsapp).

andrepassos — Mon, 12 May 2025 17:59:57 GMT

Hello, I also need some help with this issue. I' m not able to send or receive images on whatsapp application for windows after SSL Inspection activation. Any idea about how to solve this?

Re: Https inspection bypass for application (whatsapp).

PhoneBoy — Mon, 12 May 2025 22:12:54 GMT

Some applications like WhatsApp use certificate pinning, which is incompatible with HTTPS Inspection.
These applications require specific bypass rules to be configured.
Not sure what should be used for WhatsApp specifically, though R82 is much better at "failing open" (meaning HTTPS Inspection is automatically bypassed) in these situations.

Re: Https inspection bypass for application (whatsapp).

the_rock — Mon, 12 May 2025 22:14:40 GMT

Just add custom app group with *whatsapp* in the list. It will work 100%.

Andy

Re: Https inspection bypass for application (whatsapp).

andrepassos — Wed, 14 May 2025 18:03:34 GMT

How did you do this? I tried to create a https bypass rule, but it didn't work. First I tried to create a custom app/site group and added all the WhatsApp services to that group and included them in the category/custom application column, but it returned an error when I tried to install the policy.

Thank you

Re: Https inspection bypass for application (whatsapp).

the_rock — Wed, 14 May 2025 18:08:00 GMT

Just make sure urlf+appc is enabled on the layer, thats it.

Andy

Re: Https inspection bypass for application (whatsapp).

PhoneBoy — Wed, 14 May 2025 20:24:33 GMT

The HTTPS Inspection policy does not support the usage of Applications.
It does allow the use of URL Categories and Custom Application/Site objects, which is what @the_rock was telling you to create.
While this will work probably, it will surely allow more than just whatsapp (say iamnotwhatsapp.com), so be careful.

Re: Https inspection bypass for application (whatsapp).

andrepassos — Wed, 14 May 2025 20:50:43 GMT

Is there any way to create an https bypass rule so that the whatsapp application for windows works properly without affecting security as you mentioned? Im just a little bit confused about what to do.

Re: Https inspection bypass for application (whatsapp).

PhoneBoy — Wed, 14 May 2025 21:55:49 GMT

To create a proper bypass rule, you'd need to get a list of domains used for the WhatsApp service.
These domains would be added to a Custom Application/Site object that would be used in your bypass rule.
Not sure there is a canonical list of WhatsApp domains, but you might also be able to figure it out from the HTTPS Inspection failure logs.

Re: Https inspection bypass for application (whatsapp).

the_rock — Wed, 14 May 2025 22:17:05 GMT

Good point.

Re: Https inspection bypass for application (whatsapp).

the_rock — Thu, 15 May 2025 00:00:42 GMT

Will take a video tomorrow and upload.

Andy

Re: Https inspection bypass for application (whatsapp).

the_rock — Thu, 15 May 2025 12:27:51 GMT

@andrepassos

Video attached as promised.

Andy

Re: Https inspection bypass for application (whatsapp).

andrepassos — Tue, 20 May 2025 18:54:10 GMT

Hello,

We' ve just tried this solution. We did it exactly as shown in the video, but unfortunately, for some reason it didn't work and I still can't upload images using the WhatsApp app for Windows. Any further idea?

Thank you

Re: Https inspection bypass for application (whatsapp).

the_rock — Tue, 20 May 2025 19:17:52 GMT

Can you attach screenshot of the rule? MAKE SURE its allowed via urlf layer and bypassed in ssl inspection.

Andy

Re: Https inspection bypass for application (whatsapp).

the_rock — Tue, 20 May 2025 19:19:00 GMT

Also, can you see whats blocking it via logs?

Andy

Re: Https inspection bypass for application (whatsapp).

andrepassos — Tue, 20 May 2025 20:34:24 GMT

I can see in the logs that the traffic continues to be inspected. Do I need to mark the regular expression option as shown?

Re: Https inspection bypass for application (whatsapp).

the_rock — Tue, 20 May 2025 20:36:10 GMT

Nope...make sure that is BYPASSED in ssl inspection policy, then, has to work 100%

Andy

Re: Https inspection bypass for application (whatsapp).

andrepassos — Tue, 27 May 2025 14:30:58 GMT

Hello.

As you can see, for some reason the bypass is not working