topic Re: HTTPS Inspection Probe Bypass: To enable or not to enable? in General Topics

HTTPS Inspection Probe Bypass: To enable or not to enable?

Aaron_Vivadelli — Thu, 11 Jan 2018 19:53:13 GMT

I've heard of mixed results on probe bypass for HTTPS Inspection and I wanted to get feedback. To me, it seems like this is a better way of deploying HTTPS Inspection to minimize problems with bypassing traffic from inspection, but it is not something that's enabled by default which makes it seem like it should only be used if necessary.

Does anyone know of probe bypass causing more issues than it solves? Or vice versa? I know one solution doesn't fit all environments, but I'm wondering if there is a recommendation one way or another. To me, I think it's something that is better enabled.

Here is the SK: HTTPS Inspection Enhancements in R77.30 and above

Aaron

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

Alain_Ikula — Fri, 12 Jan 2018 11:05:36 GMT

Hi Aaron,

Probe Bypass should be enabled if the legislation in your country prevent you from inspecting some traffic (banking and financial categories mainly) using HTTPS inspection. In this case, you bypass HTTPS inspection for those categories and you enable Probe Bypass to avoid that the first packet of the connection is still HTTPS inspected despite your policy. And how is the HTTPS site categorized without HTTPS inspection and with Probe Bypass enabled ? Well, you may use the 'categorize HTTPS websites' functionality but there are limitations (sites using Wilcard certificates, UserCheck). See sk92743 for more details.

Regards,

Alain

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

Aaron_Vivadelli — Fri, 12 Jan 2018 15:08:46 GMT

Thanks for responding Alain.

I work for a US based VAR and perform many integrations for our customers of all CP products. All of my customers are sensitive about decrypting financial and healthcare related sites, which is why I feel probe bypass is a good thing to implement at all my customers. I wanted to get feedback from others though because I heard varying recommendations surrounding if this feature causes more problems than benefits. I think there have been a number of fixes in recent JHFs though (at least for R77.30).

Usually I like to deploy HTTPS Inspection with a gradual approach (even recommended in the HTTPS Inspection Best Practices SK), but bypassing rules are theoretically ineffective without Probe Bypass enabled since the first packet is still decrypted.

I guess I'm looking to see if anyone has had specific issues with Probe Bypass enabled where they were better off turning it off.

Aaron

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

Matt_Snead — Tue, 16 Jan 2018 16:09:57 GMT

I've tried it a couple times and always end up disabling it because there are too many incompatibilities. The biggest one is outlined in sk104717:

Limitations of HTTPS Inspection Bypass Mechanism with enabled Probe Bypass:

HTTPS Inspection will not work for sites that require SNI extension in the SSL "Client hello" packet.

It really is a shame because I too do not want to be inspecting people's traffic. I only want to prevent them from going to specific domains. So far this seems to be impossible with checkpoint as https categorization is also flawed.

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

PhoneBoy — Tue, 16 Jan 2018 23:48:40 GMT

You may want to use the App Control Signature Tool in this case.

Signature Tool for custom Application Control and URL Filtering applications

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

Albert_Wilkes — Wed, 14 Mar 2018 15:53:36 GMT

Can you explain where this would help or which of Matt's statements your suggestion refers to (categorization, probe bypass?)? Are you saying you can (or have to) use the App Control Signature Tool to create a (non-IP based) pattern to bypass websites that require SNI even if probe bypass is enabled? My customer found that he can only do a bypass by IP which is also mentioned in sk112066 which is why I am evaluating to disable probe bypass and use the CP as a proxy which should improve things as per the bottom section of sk92888

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

PhoneBoy — Wed, 14 Mar 2018 19:54:16 GMT

Basically what you're doing is creating an App Control Signature that is looking for the SNI.

It does not solve the Probe Bypass issue, but it does give you a way to allow access to specific websites without being required to enable HTTPS Inspection.

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

Matt_Snead — Thu, 15 Mar 2018 02:16:51 GMT

I’m confused... probe bypass is an enhancement to https inspection. What do you mean by, “without being required to enable https inspection?” Are you referring to people who don’t use https inspection at all? In which case your solution is simply one to allow a blocked https site through? E.g. nothing to do with https inspection or probe bypass, per say? Pretty sure that’s not what this thread was about.

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

PhoneBoy — Thu, 15 Mar 2018 05:37:41 GMT

My comment was in response to this statement you made above:

It really is a shame because I too do not want to be inspecting people's traffic. I only want to prevent them from going to specific domains.

If you don't want to be inspecting people's traffic (i.e. enable HTTPS Inspection) but want a way to prevent people from going to specific domains...you can create a custom signature for those domains.

This does not require enabling HTTPS Inspection at all (and thus not needing probe bypass).

I hope that clarifies things.

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

Olga_Kuts — Fri, 11 May 2018 11:08:42 GMT

Сan someone explain me the principle of Probe Bypass work?

Thanks.

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

PhoneBoy — Fri, 11 May 2018 14:24:23 GMT

Limitations of HTTPS Inspection Bypass Mechanism without Probe Bypass:

Every first connection to a site is inspected even if it should have been bypassed according to the policy.
Non-Browser Applications connections are dropped when HTTPS Inspection is enabled (even if bypass is configured).
Client certificate connections are dropped when HTTPS Inspection is enabled (even if bypass is configured).

Improvements introduced by Probe Bypass:

Bypass mechanism was improved to better reflect policy and resolve the above limitations:
- Stop the inspection of the first connection to bypassed sites.
- Allow bypass of Non-Browser Applications connections.
- Allow Bypass of connections to servers that require client certificate.
New probing mechanism eliminates the need to inspect the first connection to an IP address unless it is required by the policy.

Limitations of HTTPS Inspection Bypass Mechanism with enabled Probe Bypass:

HTTPS Inspection will not work for sites that require SNI extension in the SSL "Client hello" packet.

HTTPS Inspection Enhancements in R77.30 and above

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

Albert_Wilkes — Mon, 14 May 2018 08:31:13 GMT

my article might a bit of insight into the technicalities of probe bypass. In short probe bypass opens a connection to the server based on the destination even before taking the decision on whether to bypass the inspection or not. A single SYN request on the client to fw side is sufficient to start an SSL negotiation on the fw to server side as can be seen in the case where it breaks when SNI is required

HTTPS inspection real life examples and caveats in R77.30

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

Olga_Kuts — Tue, 15 May 2018 19:55:31 GMT

Thanks for reply. I understand limitations and improvements, but I want to understand the mechanism of probe bypass work. How is the bypass done if the connection is not inspected?

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

PhoneBoy — Tue, 15 May 2018 20:06:17 GMT

Read the article Albert Wilkes‌ linked above, it shows what happens when enabled.

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

Albert_Wilkes — Wed, 16 May 2018 08:48:29 GMT

Please read my update below. It starts a probe / ssl negotiation to the destination before it even responds to the client with a SYN/ACK. Let me know in case there are any questions after reading the below and linked article

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

Olga_Kuts — Thu, 17 May 2018 07:47:09 GMT

Great work! Thanks!

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

John_Fenoughty — Fri, 14 Sep 2018 11:52:16 GMT

Following Arron's question and having read and re-read Albert Wilkes's excellent document. I had both the requirement and inclination to carry out testing on my own test systems and then over the last four months on various live sites.

The attached 10 page document contains my findings and the relevant technicalities. The introduction and summary are clear: in almost all cases, disabling probe bypass made things a LOT better! That said, there are factors that can obfuscate this universally (in my experiences) positive result until they are addressed.

My document uses various test sites (13 in the first instance) and one of those, Skype gets a good four or five pages of the document. Summary: I now have Skype working well on a number of sites with HTTPS enabled on those computers using URL based bypasses only (no IP address or ranges).

I will also be posting this in the main thread about getting Skype to work with HTTPS inspection enabled, these two things being so inextricably linked I could not separate them in to two documents.

My document and the CSV file with the URLs for Skype are available in the 'Documents section of 'GeneralProductTopics' - The document is named 'Making Skype work properly with HTTPS inspection enabled coupled with To Probe Bypass or Not To Probe Bypass 1oct18' and the current CSV is SkypeURLs Version 2.3 August 2018.csv.

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

Matt_Snead — Fri, 14 Sep 2018 13:26:08 GMT

Great post, thanks for sharing. Checkpoint really needs to get their S together and keep on top of changing technologies if they want to keep customers. Their security practices are top-notch, but their general filtering/inspection policies are way behind. Couple that with the many issues with emerging SSL ciphers/elliptical curves and it's becoming an common nuisance.

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

PhoneBoy — Fri, 14 Sep 2018 14:38:42 GMT

Thanks for putting this together!

It'd be great if you could upload this as a document to General Product Topics‌, which will make it easier to find.

Re: HTTPS Inspection Probe Bypass: To enable or not to enable?

Marcel_Wildenbe — Mon, 01 Oct 2018 09:31:39 GMT

Hi John,

Thanks for the extensive explanation of the Probe Bypass feature. I have created the Application/Site Group with all the Skype related objects, but when I try to use this object in the https inspection policy under "Site Category", I get the following error:

"HTTPS Inspection: rule 1. In 'Site Category' column, applications or groups with applications are not supported."

Any idea?