cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

HTTPS Inspection MacOS

Problem:

We have enabled HTTPS inspection on our network via our Checkpoint blades, all is working just fine apart from inspection of MacOS traffic.
Our certificates are trusted system wide and work for most applications, including Safari but Apple applications like iCloud, iMessage, AppStore etc do not work. I believe this is due to certificate pinning.

Error with AppStore

iCloud Error


An obvious solution would be excluding Apple IPs from inspection but we cant because Apple uses the Akamai CDN and therefore the IPs change almost hourly.

Does anybody here have a solution? Is there a way to somehow efficiently whitelist Apples IPs?

Thank you!

Trusted certs in the system keychain

0 Kudos
10 Replies

Re: HTTPS Inspection MacOS

You could try an HTTPS inspection bypass for the "Apple Services" application...

0 Kudos
Highlighted

Re: HTTPS Inspection MacOS

Unless I am missing something, you can only bypass HTTPS based on site categories and not applications. So Apple falls into the “Web Services Provider” category, but bypassing that would bypass inspection for all web service providers?

0 Kudos

Re: HTTPS Inspection MacOS

Re: HTTPS Inspection MacOS

Thank you for these links! The first one applies to iOS devices but is definitely helpful for us.

The second link is spot on for our issue but we are worried about excluding entire subnets of Akamai. Would excluding such a large range of IPs also exclude us from inspecting dangerous content? Eg; Non Apple services on Akamai CDN

0 Kudos

Re: HTTPS Inspection MacOS

R80.20 and later features "Updatable Objects" that includes Geo Countries and Azure/AWS networks to help avoid the need to exclude constantly-changing swaths of IP addresses in situations like this.  There is not an updatable object for Apple networks to my knowledge, but that sure would be a good RFE...

https://www.checkpoint.com/rfe/rfe.htm 

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Re: HTTPS Inspection MacOS

Thanks for pointing this out, I have submitted an RFE.
I don't think Updateable Objects can be excluded from HTTPS inspection policies at this time? Is that correct?
I have another RFE open for that!

Charlie

0 Kudos

Re: HTTPS Inspection MacOS

Correct, you cannot use updatable objects in HTTPS inspection rulebase at this moment

0 Kudos

Re: HTTPS Inspection MacOS

Apple services are not included into the updatable objects.

0 Kudos

Re: HTTPS Inspection MacOS

As the SK says, Apple owns the whole segment. It should not interfere with other services

0 Kudos
Danny
Pearl

Re: HTTPS Inspection MacOS

It's all fixed in the latest R77.30 JHF (Take 345). Just check the list of resolved issues.