topic Re: White Paper - URL Filtering using SNI for HTTPS websites in General Topics

White Paper - URL Filtering using SNI for HTTPS websites

_Val_ — Mon, 08 Jul 2019 12:43:00 GMT

Author

@Kevin_Jones

Abstract

The document describes how to leverage Server Name Indication (SNI) when using URL Filtering Software Blade.

For the full list of White Papers, go here.

Re: White Paper - URL Filtering using SNI for HTTPS websites

Vladimir — Mon, 06 May 2019 12:26:39 GMT

@Kevin_Jones , thank you for a brief and concise document describing SNI filtering functionality. Many of my clients can benefit from reading it.

In regards to its general availability: your document is from December of last year. When is this functionality will be available in R80.20 by JHFA?

Thank you,

Vladimir

Re: White Paper - URL Filtering using SNI for HTTPS websites

Martin_Valenta — Mon, 06 May 2019 14:05:38 GMT

And SNI visibility with tls 1.3?

https://blog.cloudflare.com/encrypted-sni/

Re: White Paper - URL Filtering using SNI for HTTPS websites

Uri_Lewitus — Mon, 06 May 2019 14:18:24 GMT

R80.30

Re: White Paper - URL Filtering using SNI for HTTPS websites

RickLin — Tue, 07 May 2019 09:32:39 GMT

Can CheckPoint teach us how to use "Next Generation Bypass"?

Thanks for clarification.

Re: White Paper - URL Filtering using SNI for HTTPS websites

Uri_Lewitus — Tue, 07 May 2019 11:31:07 GMT

For URL filtering this is on by default
I am told that NG bypass does not require any extra configuration I am still validating

Re: White Paper - URL Filtering using SNI for HTTPS websites

Vladimir — Mon, 20 May 2019 16:33:01 GMT

@Uri_Lewitus , did you get the chance to validate this?

Thank you,

Vladimir

Re: White Paper - URL Filtering using SNI for HTTPS websites

G_W_Albrecht — Tue, 11 Jun 2019 09:40:04 GMT

That is part of this White Paper - URL Filtering using SNI for HTTPS websites !

Re: White Paper - URL Filtering using SNI for HTTPS websites

MikeB — Fri, 12 Jul 2019 23:49:19 GMT

Is this functionality will be available in R80.20 by JHFA???
Considering right now R80.20 is the recommended version

Re: White Paper - URL Filtering using SNI for HTTPS websites

saulomendonca — Wed, 24 Jul 2019 13:05:25 GMT

Is this functionality already available in R80_10_JUMBO_HF?? thanks

Re: White Paper - URL Filtering using SNI for HTTPS websites

saulomendonca — Wed, 24 Jul 2019 14:43:20 GMT

Is that available in R80_10_JUMBO_HF?

Re: White Paper - URL Filtering using SNI for HTTPS websites

FedericoMeiners — Wed, 24 Jul 2019 18:42:43 GMT

Great information!

I have two qustions:

1) Can anyone confirm is the following feature is included in the new engine of SSL Inspection in R80.30? R80.30 doesn't need the probe bypass feature since it checks de Client Hello and the certificate. Also, it works with Categorize HTTPS without SSL Inspection and without turning on the kernel parameters? I'll try to check this later in a lab enviroment.

"Using this field, rather than relying on the CN of the certificate, gives more specific and accurate information about the requested site. The recently released hotfix for Check Point R80.10 gateways does change this behavior and utilize the SNI extension for categorization. Once installed, the feature can be enabled with the following command: fw ctl set int urlf_use_sni_for_categorization 1 This hotfix also allows a further check to make sure that the SNI requested by the client matches one of the SAN entries on the certificate. To enable this feature, use this command: fw ctl set int urlf_block_unauthorized_sni 1"

2) Is there any benefit in having "Categorize HTTPS sites" AND Outbound SSL Inspection? There are many posts that state that they are mutually exclusive, but in R80.20+ you can have both turned on. So far in my testing I could not see any benefits. Maybe it doesn't inspect all the https traffic?

Thanks!

Federico Meiners

Re: White Paper - URL Filtering using SNI for HTTPS websites

Vladimir — Wed, 24 Jul 2019 19:10:58 GMT

@FedericoMeiners , the SSL categorization is there simply to improve the Application Control and URL filtering. SSL inspection actually allow the payload to be analyzed by other TP blades as well as Content Control and DLP.

Re: White Paper - URL Filtering using SNI for HTTPS websites

FedericoMeiners — Wed, 24 Jul 2019 19:18:27 GMT

@Vladimir I know that, but what is the effect/advantage of having Outbound SSL Inspection + HTTPS Categorization? You can turn them both in R80.20+

Re: White Paper - URL Filtering using SNI for HTTPS websites

Vladimir — Wed, 24 Jul 2019 19:48:19 GMT

Consider, for instance, the situation when you are exempting certain traffic from SSL inspection based on its categories, i.e. financial and health.

Re: White Paper - URL Filtering using SNI for HTTPS websites

_Val_ — Mon, 29 Jul 2019 13:52:00 GMT

I see here many questions about SNI enhancement availability with R80.20.

As fas as I am concern, R80.20 can have SNI functionality back-ported, with a special HFA, with is not part of the regular Jumbo.

@Oren_Segev, can you please give more details?

Re: White Paper - URL Filtering using SNI for HTTPS websites

MikeB — Wed, 14 Aug 2019 02:32:48 GMT

Any idea when this functionality (URL Filtering using SNI for HTTPS websites) will be available for Gaia Embedded (7xx/14xx)?

Re: White Paper - URL Filtering using SNI for HTTPS websites

Tom_Hinoue — Wed, 14 Aug 2019 03:35:08 GMT

Hi Miguel,

In matter of fact, SNI for APPI/URLF it is already available on Gaia Embedded on recent firmwares (disabled by default) in locally managed mode.

Go to Device -> Advanced Settings and find [Application Control and URL Filtering - Custom App over HTTPS].
Enable the parameter and you're good to go.

Re: White Paper - URL Filtering using SNI for HTTPS websites

saulomendonca — Tue, 20 Aug 2019 14:47:34 GMT

Could someone please confirm if this functionality works on R80.20? thanks

Re: White Paper - URL Filtering using SNI for HTTPS websites

MikeB — Wed, 21 Aug 2019 11:49:06 GMT

Thanks @Tom_Hinoue!
What about centrally managed mode?