cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

Hello,

We have a problem to acces at the website GoToAssist

We have identified the problem. The problem appears when the SSL inspextion is enable and we had to applicate a bypass rule but it worked before.

We had see for example in fortinet KB activate a bypass rule, sonicwall change the Cipher Method from Default to AES256-SHA or AES128-SHA or 3DES-SHA or RC4-MD5 to resolve this problem.

Have you an idea ?

Best Regard's

0 Kudos
2 Solutions

Accepted Solutions

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

Greg,

On the App/URL Filter tab, go to Applications/Sites --> New -->  Category.  Name it SSL_Bypass.

Same tab, go to Applications/Sites --> New --> Application/Site.  Name it GoToMeeting, click next.

On the next screen, add all of the URLs listed in the following support page: 

https://support.logmeininc.com/gotomeeting

Make sure you use wildcards where indicated.  On next screen give it a category of SSL_Bypass.

I did not find it necessary to whitelist any of the IPs or ports listed, just the URLs.

Create a rule under HTTPS Inspection policy.  Make sure there are NO inspection rules above this bypass rule (all of your bypass rules should be at the top of your policy)

"Some Name" | src:Any | dst:Internet | services: http/https | site category: SSL_Bypass | action: Bypass

 

 

 

0 Kudos

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

It does not work because of certificate pinning.

 

Looks here and act accordingly: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

0 Kudos
13 Replies

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

I assume that GoToAssist is like GoToMeeting and this is mentioned here: Several HTTPS web sites and applications might not work properly when HTTPS Inspection is enabled on... 

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

The proposed solution in Sk112214 did not address the situation with GoToMeeting.  Has anyone come up with a work around apart from turning off HTTPS inspection?

0 Kudos

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution
I'm running into this issue to. Michael, did you have any luck?
0 Kudos
Danny
Pearl

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

Create an HTTPS inspection bypass, that should help.

0 Kudos

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution
While I see that as an option I'm trying to figure out if there is something else going on here. I was told that our apps team had no issues with GoToMeeting earlier in the week before I upgraded Checkpoint Management and Log Servers from R80.20 Take_87 -> Take_103. Would this possibly have had anything to do with it or just a coincidence?
0 Kudos
Danny
Pearl

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

You could easily go back to the older JHF take and test again to be sure.

0 Kudos

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution
Here is what I have in the log.
Date is Wed Jul 17 23:19:30 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPsuite-R80.20/fw1/lib/
implied_rules.def was updated
te.def was updated
===========================================================
Date is Wed Jul 17 23:21:48 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPR77CMP-R80.20/lib/

******* Warning : te.def had no signature file to compare to this will be considered as a match
vpn_table.def was updated
te.def was updated
===========================================================
Date is Mon Sep 30 12:27:04 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPsuite-R80.20/fw1/lib/

******** implied_rules.def was changed by user, signature didn't match!
===========================================================
Date is Mon Sep 30 12:30:06 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPR77CMP-R80.20/lib/
/opt/CPR77CMP-R80.20/lib//vpn_table.def wasn't backed up, the backup file already exists
/opt/CPR77CMP-R80.20/lib//te.def wasn't backed up, the backup file already exists
vpn_table.def was updated
te.def was updated
[Expert@GW-MGMT:0]#
0 Kudos

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

I received this notification after the take upgrade, but didn't think anything of it.  I contacted Checkpoint Support and they didn't feel it was an issue.

 

• Additional Info:
fw1/bin/hook_fw1_wrapper_HOTFIX_R80_20_JUMBO_HF_MAIN: The updated inspect files were NOT installed due to signature mismatches or error. To process further please refer to sk116455.

0 Kudos

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution
Output of log below - Any concern here?
Date is Wed Jul 17 23:19:30 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPsuite-R80.20/fw1/lib/
implied_rules.def was updated
te.def was updated
===========================================================
Date is Wed Jul 17 23:21:48 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPR77CMP-R80.20/lib/

******* Warning : te.def had no signature file to compare to this will be considered as a match
vpn_table.def was updated
te.def was updated
===========================================================
Date is Mon Sep 30 12:27:04 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPsuite-R80.20/fw1/lib/

******** implied_rules.def was changed by user, signature didn't match!
===========================================================
Date is Mon Sep 30 12:30:06 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPR77CMP-R80.20/lib/
/opt/CPR77CMP-R80.20/lib//vpn_table.def wasn't backed up, the backup file already exists
/opt/CPR77CMP-R80.20/lib//te.def wasn't backed up, the backup file already exists
vpn_table.def was updated
te.def was updated
0 Kudos

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

Additionally, here are the changes I saw on the files it said were not backed up.  Doesn't look like much of anything to me.

vpn_tabe_def.JPGvpn_table.def comparete_def.JPGte.def compare

0 Kudos

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

Greg,

On the App/URL Filter tab, go to Applications/Sites --> New -->  Category.  Name it SSL_Bypass.

Same tab, go to Applications/Sites --> New --> Application/Site.  Name it GoToMeeting, click next.

On the next screen, add all of the URLs listed in the following support page: 

https://support.logmeininc.com/gotomeeting

Make sure you use wildcards where indicated.  On next screen give it a category of SSL_Bypass.

I did not find it necessary to whitelist any of the IPs or ports listed, just the URLs.

Create a rule under HTTPS Inspection policy.  Make sure there are NO inspection rules above this bypass rule (all of your bypass rules should be at the top of your policy)

"Some Name" | src:Any | dst:Internet | services: http/https | site category: SSL_Bypass | action: Bypass

 

 

 

0 Kudos

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

Yeah, I gotcha.  We have some existing domain bypasses in by site already for other stuff.  Going to severely limit the source on these though as I don't need everyone bypassing these domains.

0 Kudos

Re: GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

It does not work because of certificate pinning.

 

Looks here and act accordingly: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

0 Kudos