This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Moudar
MVP Silver
MVP Silver
‎2023-12-12 11:31 PM
Jump to solution

Still drop

Hi,

I have created a rule to allow all IPads to reach to .apple.com domain. The problem is that not all IPads are reaching to that domain, but some still drop, this is my rule:

ipad to apple.JPG

Source: Ipad network

destination: .apple.com domain

services and application: any

Action:accept

Track:log

The IPad network is 10.10.32.0/19. After adding that rule some IPads are accepted to reach .apple.com:

accept to 17.JPG

 And some still drop:

drop to 17..JPG

So why some are still dropping? They are reaching to the Cleanup rule 59.12, where 59.3 is to accept all connections to Apple?!

59 is an Inline layer where IPad network is in the source of it.

What do I miss here?!

Labels
0 Kudos
1 Solution

Accepted Solutions
the_rock
MVP Diamond
MVP Diamond
‎2023-12-13 04:29 AM
In response to Moudar
Jump to solution

Just allow 17.0.0.0/8 subnet, that will fix it, as thats what Apple uses.

https://news.ycombinator.com/item?id=3341349

Otherwise, make sure urlf and appc blades are enabled and follow what Guenther suggested, screenshots are there, its pretty straight forward...you need to use built in applications in smart console, just type apple when adding it in the rule and bunch of stuff will pop up.

Andy

Best,
Andy

View solution in original post

12 Replies
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-12-13 01:48 AM
Jump to solution

https://community.checkpoint.com/t5/Security-Gateways/Apple-and-HTTPS-Inspection/m-p/176039

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
(1)
the_rock
MVP Diamond
MVP Diamond
‎2023-12-13 03:49 AM
Jump to solution

What @G_W_Albrecht is your best process to follow...now, IF you dont use urlf blade, then domain objects is fine, but make sure it says .*.apple.com and fqdn option is unchecked, otherwise, it may not match all needed sub-domains.

Andy

Best,
Andy
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2023-12-13 04:06 AM
In response to the_rock
Jump to solution

When trying to make it *.apple.com i get this:

apple.JPG

Now my domain object looks like this:

apple1.JPG

0 Kudos
Moudar
MVP Silver
MVP Silver
‎2023-12-13 04:08 AM
In response to Moudar
Jump to solution

What if URL and application blades are active, is there any better way to do that ?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-12-13 04:10 AM
In response to Moudar
Jump to solution

Yes, if those are enabled, please follow what @G_W_Albrecht suggested.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-12-13 04:09 AM
In response to Moudar
Jump to solution

Maybe you missed . in my post : -)

I mentioned .*.apple.com, but you can also do .*apple.com

Every domain object MUST start with .

Hope that helps

Andy

Please refer to below link:

https://support.checkpoint.com/results/sk/sk120633

Best,
Andy
0 Kudos
Moudar
MVP Silver
MVP Silver
‎2023-12-13 04:24 AM
In response to the_rock
Jump to solution

Now it looks like this:

apple.JPG

But still have drops!

apple1.JPG

I don't really understand what @G_W_Albrecht suggestion is?!

How should I use app and url blades to achieve the same?

0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-12-13 04:29 AM
In response to Moudar
Jump to solution

Just allow 17.0.0.0/8 subnet, that will fix it, as thats what Apple uses.

https://news.ycombinator.com/item?id=3341349

Otherwise, make sure urlf and appc blades are enabled and follow what Guenther suggested, screenshots are there, its pretty straight forward...you need to use built in applications in smart console, just type apple when adding it in the rule and bunch of stuff will pop up.

Andy

Best,
Andy
Moudar
MVP Silver
MVP Silver
‎2023-12-13 04:55 AM
In response to the_rock
Jump to solution

It works fine now with 17.0.0.0/8 

URL and application, do you mean enable all these?

apple.JPG

 

 

0 Kudos
G_W_Albrecht
MVP Silver
MVP Silver
‎2023-12-13 05:07 AM
In response to Moudar
Jump to solution

Could well be that only using 17.0.0.0/8 works for you, i would try before doing any other configuration !

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
MVP Diamond
MVP Diamond
‎2023-12-13 05:11 AM
In response to Moudar
Jump to solution

Not really, if that range works, then its good. I would leave it as is then.

Andy

Best,
Andy
0 Kudos
the_rock
MVP Diamond
MVP Diamond
‎2023-12-13 04:31 AM
In response to Moudar
Jump to solution

Also, as per below

https://developer.apple.com/forums/thread/44549

Best,
Andy

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events