topic Re: SNI on security gateway 1490 in Spark Firewall (SMB)

SNI on security gateway 1490

LuisSP — Thu, 04 Jun 2020 23:59:33 GMT

Recently we had trouble accessing some https websites hosted by cloudflare, such sites have in its CN's certificates =sni.cloudflaressl.com, besides in SAN the domain name requested. Here is the list:

syscom.mx
eleconomista.com.mx
tabascohoy.com

After review SK's and contact with TAC's, well, there is no much to do: SNI is not supported on SG 1490 locally management. TAC's solution is create https exceptions to each website, however there are hundreds, thousands websites outthere with this technology implemented on its webserver, not only hosted by cloudflare, but many other hosting services. Website's list formerly mentionated has grown... and I'm sure will continu growing.

I want to know how have you dealt with this situation? Do you create exception to each website?

Thanks for you support comments.

Re: SNI on security gateway 1490

PhoneBoy — Fri, 05 Jun 2020 05:49:39 GMT

SNI support was added to the 1500 series codebase running R80.20.x.
You may have to exclude by IP.
As far as I know, there are no plans to add SNI support to the 1400 series.

Re: SNI on security gateway 1490

LuisSP — Sat, 06 Jun 2020 01:20:11 GMT

Greetings PhoneBoy.

I appretiated your reply,. Regarding to exclude by IP (unique solution by TAC), I face collateral trouble, if I would have to exclude community.checkpoint.com, nslookup get me next IP address:

nslookup community.checkpoint.com
Respuesta no autoritativa:
Nombre: d2m0sklryvkyy2.cloudfront.net
Addresses:
13.226.214.104
13.226.214.61
13.226.214.41
13.226.214.86
Aliases: community.checkpoint.com
fyrhh23835.lithium.com

but 13.226.214.86 is resolved by lulify.com too:

nslookup lulify.com
Respuesta no autoritativa:
Nombre: lulify.com
Addresses:
13.226.214.126
13.226.214.86
13.226.214.56
13.226.214.46

so, creating a https exception by ip open traffic to lulify.com in this case, what it's not malicious site, but imagine that such website was inside a category not allowed.

Unfortunatetly CheckPoint did throw over its promise to upgrade appliance 1490 to r80.x (unknow reasons).

Thanks again.

Re: SNI on security gateway 1490

PhoneBoy — Sat, 06 Jun 2020 03:57:25 GMT

It was originally planned to put R80.20 on the earlier SMB appliances.
However, it turns out the R80.20+ code requires more resources than is available on the 700/1200R/1400 series.
You may be able to execute a trade-in for a 1590 through your local Check Point office/reseller.

Re: SNI on security gateway 1490

MikeB — Sat, 06 Jun 2020 21:50:35 GMT

Have you tried this?: https://community.checkpoint.com/t5/General-Topics/White-Paper-URL-Filtering-using-SNI-for-HTTPS-websites/m-p/60280/highlight/true#M12199

Should be available on 14xx locally managed

Re: SNI on security gateway 1490

LuisSP — Mon, 08 Jun 2020 20:36:54 GMT

I tried it, but unfrotunatetly solution expressed in above url do not worked on my case.

Thanks Miguel.