Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Participant

HTTPS Inspection MacOS

Problem:

We have enabled HTTPS inspection on our network via our Checkpoint blades, all is working just fine apart from inspection of MacOS traffic.
Our certificates are trusted system wide and work for most applications, including Safari but Apple applications like iCloud, iMessage, AppStore etc do not work. I believe this is due to certificate pinning.

Error with AppStore

iCloud Error


An obvious solution would be excluding Apple IPs from inspection but we cant because Apple uses the Akamai CDN and therefore the IPs change almost hourly.

Does anybody here have a solution? Is there a way to somehow efficiently whitelist Apples IPs?

Thank you!

Trusted certs in the system keychain

0 Kudos
10 Replies
Highlighted
Collaborator

You could try an HTTPS inspection bypass for the "Apple Services" application...

0 Kudos
Highlighted
Participant

Unless I am missing something, you can only bypass HTTPS based on site categories and not applications. So Apple falls into the “Web Services Provider” category, but bypassing that would bypass inspection for all web service providers?

0 Kudos
Highlighted
Participant

Thank you for these links! The first one applies to iOS devices but is definitely helpful for us.

The second link is spot on for our issue but we are worried about excluding entire subnets of Akamai. Would excluding such a large range of IPs also exclude us from inspecting dangerous content? Eg; Non Apple services on Akamai CDN

0 Kudos
Highlighted
Champion
Champion

R80.20 and later features "Updatable Objects" that includes Geo Countries and Azure/AWS networks to help avoid the need to exclude constantly-changing swaths of IP addresses in situations like this.  There is not an updatable object for Apple networks to my knowledge, but that sure would be a good RFE...

https://www.checkpoint.com/rfe/rfe.htm 

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

R80.40 addendum for book "Max Power 2020" now available
for free download at http://www.maxpowerfirewalls.com
Highlighted
Participant

Thanks for pointing this out, I have submitted an RFE.
I don't think Updateable Objects can be excluded from HTTPS inspection policies at this time? Is that correct?
I have another RFE open for that!

Charlie

0 Kudos
Highlighted
Admin
Admin

Correct, you cannot use updatable objects in HTTPS inspection rulebase at this moment

0 Kudos
Highlighted
Admin
Admin

Apple services are not included into the updatable objects.

0 Kudos
Highlighted
Admin
Admin

As the SK says, Apple owns the whole segment. It should not interfere with other services

0 Kudos
Highlighted
Champion
Champion

It's all fixed in the latest R77.30 JHF (Take 345). Just check the list of resolved issues.