cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

HTTPS Inspection Bypass GooglePlay

We have scanguns that are having trouble getting to the GooglePlay store. It appears based on errors that GooglePlay does not use the Android Certificate store to use our https inspection certificate.

I have opened up the clients to bypass the following URL's but am still having issues:

*.google.com

google.com

*.googleapis.com

googleapis.com

 

I don't see other google entries in the inspection and according to the logs the clients are getting bypassed, but it hasn't been until I bypass all https inspection for the specific client that it is fully able to connect to the GooglePlay store, register, and download files.

 

 

0 Kudos
4 Replies
Admin
Admin

Re: HTTPS Inspection Bypass GooglePlay

What version of code?
If you’re not in R80.30 or R80.20 JHF 117+, I strongly encourage upgrading.
The added support for SNI should help with this.
0 Kudos

Re: HTTPS Inspection Bypass GooglePlay

R77.30 🤐 - We are working to move to R80, but not there yet.

 

0 Kudos
Highlighted
Admin
Admin

Re: HTTPS Inspection Bypass GooglePlay

You should check the non-Google HTTPS entries as they may provide a clue at other things you may need to set bypass rules for.
0 Kudos

Re: HTTPS Inspection Bypass GooglePlay

Most google apps have SSL Pinning. In other words they will not work if a non google certificate is presented. The following solution applies to R77.30 and R80.10. R80.20 an .30 have new SSL inspection engines and don't use these flags anymore.

When you perform SSL Inspection, even if you set it to bypass the engine stills checks the Client Hello of the SSL Handshake, this is enough to break some applications.

Together with your exceptions I suggest you to set up Enhaced SSL Bypass (Probe bypass detailed on sk104717 ) default is off and you can set it on the fly:

on: fw ctl set int enhanced_ssl_inspection 1
off: fw ctl set int enhanced_ssl_inspection 0

For more information reffer to the provided SK, keep in mind that you may have some compatibility issues with sites using SNI.

If you still have issues I would suggest you to not inspect at all the mobile devices LAN. Don't use a bypass action, just be sure to not include the prefix on your SSL Policy.

You can find more information in my other post about SSL Inspection: https://community.checkpoint.com/t5/General-Topics/Outbound-SSL-Inspection-A-war-story/m-p/58647

Let us know how it goes 

___

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos