Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Wyatt_Felger
Explorer

HTTPS Inspection Bypass GooglePlay

We have scanguns that are having trouble getting to the GooglePlay store. It appears based on errors that GooglePlay does not use the Android Certificate store to use our https inspection certificate.

I have opened up the clients to bypass the following URL's but am still having issues:

*.google.com

google.com

*.googleapis.com

googleapis.com

 

I don't see other google entries in the inspection and according to the logs the clients are getting bypassed, but it hasn't been until I bypass all https inspection for the specific client that it is fully able to connect to the GooglePlay store, register, and download files.

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin

What version of code?
If you’re not in R80.30 or R80.20 JHF 117+, I strongly encourage upgrading.
The added support for SNI should help with this.
0 Kudos
Wyatt_Felger
Explorer

R77.30 🤐 - We are working to move to R80, but not there yet.

 

0 Kudos
PhoneBoy
Admin
Admin

You should check the non-Google HTTPS entries as they may provide a clue at other things you may need to set bypass rules for.
0 Kudos
FedericoMeiners
Advisor

Most google apps have SSL Pinning. In other words they will not work if a non google certificate is presented. The following solution applies to R77.30 and R80.10. R80.20 an .30 have new SSL inspection engines and don't use these flags anymore.

When you perform SSL Inspection, even if you set it to bypass the engine stills checks the Client Hello of the SSL Handshake, this is enough to break some applications.

Together with your exceptions I suggest you to set up Enhaced SSL Bypass (Probe bypass detailed on sk104717 ) default is off and you can set it on the fly:

on: fw ctl set int enhanced_ssl_inspection 1
off: fw ctl set int enhanced_ssl_inspection 0

For more information reffer to the provided SK, keep in mind that you may have some compatibility issues with sites using SNI.

If you still have issues I would suggest you to not inspect at all the mobile devices LAN. Don't use a bypass action, just be sure to not include the prefix on your SSL Policy.

You can find more information in my other post about SSL Inspection: https://community.checkpoint.com/t5/General-Topics/Outbound-SSL-Inspection-A-war-story/m-p/58647

Let us know how it goes 

___

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events