Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Quilcaille_Nico
Explorer

GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

Hello,

We have a problem to acces at the website GoToAssist

We have identified the problem. The problem appears when the SSL inspextion is enable and we had to applicate a bypass rule but it worked before.

We had see for example in fortinet KB activate a bypass rule, sonicwall change the Cipher Method from Default to AES256-SHA or AES128-SHA or 3DES-SHA or RC4-MD5 to resolve this problem.

Have you an idea ?

Best Regard's

0 Kudos
Reply
3 Solutions

Accepted Solutions
Norbert_Bohusch
Advisor
Michael_Gabriel
Explorer

Greg,

On the App/URL Filter tab, go to Applications/Sites --> New -->  Category.  Name it SSL_Bypass.

Same tab, go to Applications/Sites --> New --> Application/Site.  Name it GoToMeeting, click next.

On the next screen, add all of the URLs listed in the following support page: 

https://support.logmeininc.com/gotomeeting

Make sure you use wildcards where indicated.  On next screen give it a category of SSL_Bypass.

I did not find it necessary to whitelist any of the IPs or ports listed, just the URLs.

Create a rule under HTTPS Inspection policy.  Make sure there are NO inspection rules above this bypass rule (all of your bypass rules should be at the top of your policy)

"Some Name" | src:Any | dst:Internet | services: http/https | site category: SSL_Bypass | action: Bypass

 

 

 

View solution in original post

0 Kudos
Reply
_Val_
Admin
Admin

It does not work because of certificate pinning.

 

Looks here and act accordingly: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

View solution in original post

0 Kudos
Reply
13 Replies
Norbert_Bohusch
Advisor
Michael_Gabriel
Explorer

The proposed solution in Sk112214 did not address the situation with GoToMeeting.  Has anyone come up with a work around apart from turning off HTTPS inspection?

0 Kudos
Reply
Gregory_Link
Contributor
I'm running into this issue to. Michael, did you have any luck?
0 Kudos
Reply
Danny
Champion
Champion

Create an HTTPS inspection bypass, that should help.

0 Kudos
Reply
Gregory_Link
Contributor
While I see that as an option I'm trying to figure out if there is something else going on here. I was told that our apps team had no issues with GoToMeeting earlier in the week before I upgraded Checkpoint Management and Log Servers from R80.20 Take_87 -> Take_103. Would this possibly have had anything to do with it or just a coincidence?
0 Kudos
Reply
Danny
Champion
Champion

You could easily go back to the older JHF take and test again to be sure.

0 Kudos
Reply
Gregory_Link
Contributor
Here is what I have in the log.
Date is Wed Jul 17 23:19:30 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPsuite-R80.20/fw1/lib/
implied_rules.def was updated
te.def was updated
===========================================================
Date is Wed Jul 17 23:21:48 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPR77CMP-R80.20/lib/

******* Warning : te.def had no signature file to compare to this will be considered as a match
vpn_table.def was updated
te.def was updated
===========================================================
Date is Mon Sep 30 12:27:04 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPsuite-R80.20/fw1/lib/

******** implied_rules.def was changed by user, signature didn't match!
===========================================================
Date is Mon Sep 30 12:30:06 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPR77CMP-R80.20/lib/
/opt/CPR77CMP-R80.20/lib//vpn_table.def wasn't backed up, the backup file already exists
/opt/CPR77CMP-R80.20/lib//te.def wasn't backed up, the backup file already exists
vpn_table.def was updated
te.def was updated
[Expert@GW-MGMT:0]#
0 Kudos
Reply
Gregory_Link
Contributor

I received this notification after the take upgrade, but didn't think anything of it.  I contacted Checkpoint Support and they didn't feel it was an issue.

 

• Additional Info:
fw1/bin/hook_fw1_wrapper_HOTFIX_R80_20_JUMBO_HF_MAIN: The updated inspect files were NOT installed due to signature mismatches or error. To process further please refer to sk116455.

0 Kudos
Reply
Gregory_Link
Contributor
Output of log below - Any concern here?
Date is Wed Jul 17 23:19:30 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPsuite-R80.20/fw1/lib/
implied_rules.def was updated
te.def was updated
===========================================================
Date is Wed Jul 17 23:21:48 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPR77CMP-R80.20/lib/

******* Warning : te.def had no signature file to compare to this will be considered as a match
vpn_table.def was updated
te.def was updated
===========================================================
Date is Mon Sep 30 12:27:04 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPsuite-R80.20/fw1/lib/

******** implied_rules.def was changed by user, signature didn't match!
===========================================================
Date is Mon Sep 30 12:30:06 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPR77CMP-R80.20/lib/
/opt/CPR77CMP-R80.20/lib//vpn_table.def wasn't backed up, the backup file already exists
/opt/CPR77CMP-R80.20/lib//te.def wasn't backed up, the backup file already exists
vpn_table.def was updated
te.def was updated
0 Kudos
Reply
Gregory_Link
Contributor

Additionally, here are the changes I saw on the files it said were not backed up.  Doesn't look like much of anything to me.

vpn_table.def comparevpn_table.def comparete.def comparete.def compare

0 Kudos
Reply
Michael_Gabriel
Explorer

Greg,

On the App/URL Filter tab, go to Applications/Sites --> New -->  Category.  Name it SSL_Bypass.

Same tab, go to Applications/Sites --> New --> Application/Site.  Name it GoToMeeting, click next.

On the next screen, add all of the URLs listed in the following support page: 

https://support.logmeininc.com/gotomeeting

Make sure you use wildcards where indicated.  On next screen give it a category of SSL_Bypass.

I did not find it necessary to whitelist any of the IPs or ports listed, just the URLs.

Create a rule under HTTPS Inspection policy.  Make sure there are NO inspection rules above this bypass rule (all of your bypass rules should be at the top of your policy)

"Some Name" | src:Any | dst:Internet | services: http/https | site category: SSL_Bypass | action: Bypass

 

 

 

View solution in original post

0 Kudos
Reply
Gregory_Link
Contributor

Yeah, I gotcha.  We have some existing domain bypasses in by site already for other stuff.  Going to severely limit the source on these though as I don't need everyone bypassing these domains.

0 Kudos
Reply
_Val_
Admin
Admin

It does not work because of certificate pinning.

 

Looks here and act accordingly: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

View solution in original post

0 Kudos
Reply