topic Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass in General Topics

New updatable object for HTTPS Inspection: HTTPS Services Bypass

PhoneBoy — Thu, 20 Feb 2020 23:52:37 GMT

We are glad to share a new usability enhancement for our HTTPS Inspection customers.
Starting from R80.40, HTTPS Inspection customers will be able to consolidate their certificate pinned apps rules using managed updatable objects.

We've collected a list of HTTPS services which are known to be used in scenarios where HTTPS Inspection is unable to establish the trust between the client and the Security Gateway and is therefore unable to inspect the traffic.
These HTTPS services are part of "HTTPS services - bypass" updatable object.

You can choose to add this object to HTTPS Inspection policy as a bypass rule to avoid connectivity issues and/or to the Access policy as a drop rule to block these services explicitly.
For further information please refer to sk163595

If you'd like to see some additional services added to this, let us know!

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

Danny — Fri, 21 Feb 2020 00:38:44 GMT

Thanks Check Point!

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

RoD — Sat, 22 Feb 2020 08:38:06 GMT

Please tell me what is the difference between HTTPS Whitelisting and HTTPS Services Bypass ?

Thanks

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

Garrett_DirSec — Sat, 22 Feb 2020 15:52:55 GMT

Thanks for insight. Are there plans to ADD this to R80.30 as part of future JHA jumbo update?

thanks -GA

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

PhoneBoy — Sat, 22 Feb 2020 20:31:38 GMT

Use of Updatable Objects in the HTTPS Inspection policy required some major infrastructure improvements.
I don't believe these will be backported to earlier releases.

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

PhoneBoy — Sat, 22 Feb 2020 20:36:23 GMT

The HTTPS Inspection policy determines what traffic is "man in the middled" so you can see and make security decisions on the unencrypted contents.
The actions for the rules in that rulebase are either "Inspect" or "Bypass."
Not sure where whitelisting enters into the discussion.

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

RoD — Sat, 22 Feb 2020 21:01:02 GMT

HTTPS Whitelisting is using also for bypass HTTPS inspection, if I want that HTTPS inspection bypass some domain like goldmansachs.com , what is a best way to bypass HTTPS inspection for this domain, using HTTPS Whitelisting or HTTPS services - bypass ? Thanks

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

Garrett_DirSec — Sun, 23 Feb 2020 00:19:41 GMT

Thanks @PhoneBoy

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

PhoneBoy — Sun, 23 Feb 2020 02:12:13 GMT

You create a custom application with the domain(s) you wish to bypass and add a rule for that domain in the HTTPS Inspection policy.
The "whitelist" that document refers to is one we maintain and cannot be updated by you.

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

RoD — Sun, 23 Feb 2020 08:14:27 GMT

OK, Thank you

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

Uriel_F — Sun, 23 Feb 2020 14:16:32 GMT

Hi,
Adding support for updatable objects in R80.30 releases won't be possible, the support for for updatable objects requires the new HTTPS Inspection policy that was embedded to the SmartConsole, and this change is to big and complicated for the jumbo releases.

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

Garrett_DirSec — Sun, 23 Feb 2020 16:28:18 GMT

thanks for the insight!

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

Ryan_Ryan — Sun, 23 Feb 2020 23:09:27 GMT

This is a positive update for HTTPS inspection thanks!

Are there any improvements where a client certificate is used? Right now on R80.30 we have to add a bypass rule by IP address in rule position #1 to allow client cert to work. Being able to do this by domain name would be a huge benefit (especially when the application is hosted in AWS/Azure!)

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

PhoneBoy — Mon, 24 Feb 2020 01:18:28 GMT

I don’t believe any vendor handles TLS Client Auth very well.
Sites that require this must be bypassed.
You can create a custom application definition with the domain in question and use that in the rule—should work in R80.30.

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

RickLin — Mon, 24 Feb 2020 10:30:31 GMT

You can try to reference sk165094 (Custom Applications/Sites - Best practice).

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

Joseph_Audet — Mon, 24 Feb 2020 14:39:45 GMT

Will this eventually include the O365 'Optimize' category from their RSS feed to bypass HTTPS inspection?

Reference article:

https://docs.microsoft.com/en-us/archive/blogs/onthewire/new-office-365-url-categories-to-help-you-optimize-the-traffic-which-really-matters

Thanks!

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

_Val_ — Mon, 24 Feb 2020 14:50:16 GMT

I think it is a good idea, but the question should be directed to R&D

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

Ryan_Ryan — Mon, 24 Feb 2020 22:03:33 GMT

Has sk66405 been officially "fixed"? I guess it depends on whether the client cert based application supports SNI or not as to whether we can bypass by domain name.

I might have to setup a test server and give it a try.

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

PhoneBoy — Mon, 24 Feb 2020 22:10:23 GMT

I believe so if SNI happens early enough in the negotiation that we can bypass it in this case.
Also, the SK does not mention R80.30, but it's worth double-checking.

Re: New updatable object for HTTPS Inspection: HTTPS Services Bypass

_Val_ — Tue, 25 Feb 2020 07:27:32 GMT

Just curious, what is to fix in sk66405, @Ryan_Ryan. The SK says, client certificates are not supported with HTTPSi