topic Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass? in General Topics

Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

WAI_KIT_LAO — Mon, 27 Nov 2017 15:20:52 GMT

Hello everyone, Customer now uses HTTPS inspection with probe bypass.

He found that he could not access some website. After checked, those website site works only in browsers with SNI support.

I found the sk104717 point that the limitation of HTTPS Inspection Bypass Mechanism with enabled Probe Bypass is HTTPS Inspection will not work for sites that require SNI extension in the SSL "Client hello" packet.

I tried bypassing the URL of those websites but it still didn't work.

Is there any workaround for it? Or Is there any future plan for fixing the issue?

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

William_Chang — Mon, 27 Nov 2017 23:48:55 GMT

We got the same issue. We are running R80.10. In order to take the advantages of the "unified" policy, we will need to turn on the Application/URL blades. In order to have the firewall detect the URL properly, the https decryption would be on.

However, there are a lot of sites using SNI, most common ones are hosts solutions since people more and more moved their sites to the cloud. It is very hard to do the pro bypass on those sites. In the end, we had to disable the https decryption because we got too many support calls to deal with.

In addition, so called "ground up redesigned" R80.10 still stuck in the R77 https policy editor with no simple check box on decryption within the rules like the competitor Palo Alto.

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

PhoneBoy — Tue, 28 Nov 2017 06:37:20 GMT

SNI information is sent in plaintext, which makes it trivial to spoof.

This makes using SNI as the basis for a security decision unwise.

That said, there is a clear need for this functionality and we are investigating how to address this in a secure way.

It's also something that may be resolved in the TLS/1.3 spec.

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Hugo_vd_Kooij — Tue, 28 Nov 2017 11:57:56 GMT

As far as blocking is concerned I would trust SNI. If the client indicates it wants to go somewhere where I have a simple match on a blocking rule I would call it day and block the connection.

On allow rules it becomes ..... complicated.

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

WAI_KIT_LAO — Wed, 29 Nov 2017 07:53:33 GMT

I am looking forward Checkpoint improvement but does any workaround for the SNI traffic now?

The customer doesn't want to disable the HTTPS probe bypass because it can Stop the inspection of the first connection to bypassed sites.

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

D_W — Wed, 14 Feb 2018 14:17:01 GMT

Try to create an object with the website domain and the IP of this webservice and explicitly create a bypass rule for that object(s). You will have the issue again when the IP behind this website changes.

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Albert_Wilkes — Fri, 21 Jun 2019 09:04:43 GMT

as per sk92888 using the CP as a proxy would be a workaround when you disable probe bypass that doesn't seem to require two connections - at least there is no mention of a second connection being required. I'd hope/guess this is because the CONNECT request which presents the host in cleartext before any actual tunnel gets built

Also check this https://community.checkpoint.com/message/12721-https-inspection-probe-bypass-to-enable-or-not-to-enable

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Amos_Reiss — Sun, 15 Apr 2018 10:42:06 GMT

There is a fix coming in July for this issue (probe bypass with SNI) on top of R80.10.

To get it please contact your local SE and ask to open RFE ticket for solution center.

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Norbert_Bohusch — Thu, 19 Apr 2018 16:42:03 GMT

Can you share more details about how the issue is solved?

- automatic bypass of SNI?

- working Probe Bypass with SNI?

- or other solution I‘m not thinking about?

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Amos_Reiss — Sun, 22 Apr 2018 07:01:44 GMT

We are going to move the rulebase decision to a later point in the connection when we are able to send the SNI and then cache would be including “verified” SNI. This should allow us to work with SNI in a secure manner.

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

WAI_KIT_LAO — Wed, 25 Apr 2018 10:58:08 GMT

It's good to hear that improvement from you.

Does the fix work for R77.30?

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Amos_Reiss — Wed, 25 Apr 2018 11:32:04 GMT

No, only R80.10 and later versions.

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Paul_Hagyard — Fri, 17 Aug 2018 07:10:13 GMT

Hi Amos,

Now that we're past July, there's nothing in the R80.10 jumbo HFA notes (or other public SK articles that I could find) about an HTTPS inspection fix for probe bypass and SNI. I contacted my local SE a couple of times to clarify whether this is available but haven't got an answer. What is the status of this fix?

If the fix is not available, what is the current “recommendation” about enabling probe bypass with HTTPS inspection (for both R77.30 and R80.10)? I can see why it would be a good thing (aside from the SNI issue), but it’s not recommended under the best practices SK article (sk108202, appearing only under troubleshooting).

Cheers,

Paul

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Amos_Reiss — Tue, 28 Aug 2018 13:53:28 GMT

Hi Paul,

The SNI HF is released already but it is not part of Jumbo HF.

This is why you will need to contact your SE / Sales representative which should contact Solution Center.

We will release it as part of JHF later on.

Regards

Amos

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Carey_Page-Sinc — Tue, 16 Oct 2018 19:45:24 GMT

Hi Amos,

Is it still the case that this SNI hotfix is available for R80.10 only? And not for R77.30?

How about R80.20? Is this fix incorporated into the GA release, or is still an additional hotfix?

Cheers,

—

Carey

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Amos_Reiss — Wed, 17 Oct 2018 08:44:44 GMT

Hi Carey,

R77.30 - No plans.

R80.20 GA don't have this code yet but we do plan to have a HF for it as well.

Regards

Amos

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Robert_Gilbert — Wed, 17 Oct 2018 15:12:30 GMT

Hi,

I received the hotfix from our SE and installed today on top of take 103 of R80.10 as advised. The problem is now that disabling probe bypass causes all HTTPS inspection traffic to fail completely. With probe bypass enabled, attempting to bypass sites based on the 'Site/Category' column above the catch all inspect rule in the HTTPS inspection policy seems to cause all HTTPS sites to be bypassed for inspection. The exception to this is where the source and destination columns do not match the traffic for the bypass rule, and pass on to the catch all inspect rule. For example if you specify an IP in the destination field to be bypassed then traffic destined to other IPs will pass this rule in the inspection rulebase. Without a bypass rule inspection works fine. This seems to effectively have caused more problems. Is anyone else aware of similar symptoms?

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Amos_Reiss — Thu, 18 Oct 2018 06:24:13 GMT

Robert, please ask your SE to contact me to look into this issue.

Thanks

Amos

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Darran_Lebas — Fri, 26 Oct 2018 07:44:21 GMT

HI Robert,

Do you have any updates/feedback on the SNI hotfix? I'm planning on enabling probe bypass next week. I'm keen to hear if the SNI fix is something I should have ready to go if needed?

Re: Is there any workaround for SNI HTTPS traffic when enabled the HTTPS probe bypass?

Robert_Gilbert — Mon, 29 Oct 2018 14:34:21 GMT

Hi,

Still having the same issues. I'm speaking with a Checkpoint engineer on Thursday so hopefully will have some progress then.