This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Quilcaille_Nico
Explorer
‎2018-07-23 01:22 AM

GotoAssist doesn't work when Inspection SSL is enable

Jump to solution

Hello,

We have a problem to acces at the website GoToAssist

We have identified the problem. The problem appears when the SSL inspextion is enable and we had to applicate a bypass rule but it worked before.

We had see for example in fortinet KB activate a bypass rule, sonicwall change the Cipher Method from Default to AES256-SHA or AES128-SHA or 3DES-SHA or RC4-MD5 to resolve this problem.

Have you an idea ?

Best Regard's

0 Kudos
3 Solutions

Accepted Solutions
Norbert_Bohusch
Advisor
‎2018-07-23 04:51 AM

Jump to solution

I assume that GoToAssist is like GoToMeeting and this is mentioned here: Several HTTPS web sites and applications might not work properly when HTTPS Inspection is enabled on... 

View solution in original post

Michael_Gabriel
Explorer
‎2019-10-02 09:13 AM
In response to Gregory_Link

Jump to solution

Greg,

On the App/URL Filter tab, go to Applications/Sites --> New -->  Category.  Name it SSL_Bypass.

Same tab, go to Applications/Sites --> New --> Application/Site.  Name it GoToMeeting, click next.

On the next screen, add all of the URLs listed in the following support page: 

https://support.logmeininc.com/gotomeeting

Make sure you use wildcards where indicated.  On next screen give it a category of SSL_Bypass.

I did not find it necessary to whitelist any of the IPs or ports listed, just the URLs.

Create a rule under HTTPS Inspection policy.  Make sure there are NO inspection rules above this bypass rule (all of your bypass rules should be at the top of your policy)

"Some Name" | src:Any | dst:Internet | services: http/https | site category: SSL_Bypass | action: Bypass

 

 

 

View solution in original post

0 Kudos
_Val_
Admin
Admin
‎2019-10-02 11:15 PM

Jump to solution

It does not work because of certificate pinning.

 

Looks here and act accordingly: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

View solution in original post

0 Kudos
13 Replies
Norbert_Bohusch
Advisor
‎2018-07-23 04:51 AM

Jump to solution

I assume that GoToAssist is like GoToMeeting and this is mentioned here: Several HTTPS web sites and applications might not work properly when HTTPS Inspection is enabled on... 

Michael_Gabriel
Explorer
‎2019-05-03 09:47 AM

Jump to solution

The proposed solution in Sk112214 did not address the situation with GoToMeeting.  Has anyone come up with a work around apart from turning off HTTPS inspection?

0 Kudos
Gregory_Link
Contributor
‎2019-10-02 08:41 AM
In response to Michael_Gabriel

Jump to solution
I'm running into this issue to. Michael, did you have any luck?
0 Kudos
Danny
Champion
Champion
‎2019-10-02 08:58 AM
In response to Gregory_Link

Jump to solution

Create an HTTPS inspection bypass, that should help.

0 Kudos
Gregory_Link
Contributor
‎2019-10-02 09:05 AM
In response to Danny

Jump to solution
While I see that as an option I'm trying to figure out if there is something else going on here. I was told that our apps team had no issues with GoToMeeting earlier in the week before I upgraded Checkpoint Management and Log Servers from R80.20 Take_87 -> Take_103. Would this possibly have had anything to do with it or just a coincidence?
0 Kudos
Danny
Champion
Champion
‎2019-10-02 09:08 AM
In response to Gregory_Link

Jump to solution

You could easily go back to the older JHF take and test again to be sure.

0 Kudos
Gregory_Link
Contributor
‎2019-10-02 09:18 AM
In response to Danny

Jump to solution
Here is what I have in the log.
Date is Wed Jul 17 23:19:30 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPsuite-R80.20/fw1/lib/
implied_rules.def was updated
te.def was updated
===========================================================
Date is Wed Jul 17 23:21:48 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPR77CMP-R80.20/lib/

******* Warning : te.def had no signature file to compare to this will be considered as a match
vpn_table.def was updated
te.def was updated
===========================================================
Date is Mon Sep 30 12:27:04 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPsuite-R80.20/fw1/lib/

******** implied_rules.def was changed by user, signature didn't match!
===========================================================
Date is Mon Sep 30 12:30:06 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPR77CMP-R80.20/lib/
/opt/CPR77CMP-R80.20/lib//vpn_table.def wasn't backed up, the backup file already exists
/opt/CPR77CMP-R80.20/lib//te.def wasn't backed up, the backup file already exists
vpn_table.def was updated
te.def was updated
[Expert@GW-MGMT:0]#
0 Kudos
Gregory_Link
Contributor
‎2019-10-02 09:09 AM
In response to Gregory_Link

Jump to solution

I received this notification after the take upgrade, but didn't think anything of it.  I contacted Checkpoint Support and they didn't feel it was an issue.

 

• Additional Info:
fw1/bin/hook_fw1_wrapper_HOTFIX_R80_20_JUMBO_HF_MAIN: The updated inspect files were NOT installed due to signature mismatches or error. To process further please refer to sk116455.

0 Kudos
Gregory_Link
Contributor
‎2019-10-02 09:29 AM
In response to Gregory_Link

Jump to solution
Output of log below - Any concern here?
Date is Wed Jul 17 23:19:30 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPsuite-R80.20/fw1/lib/
implied_rules.def was updated
te.def was updated
===========================================================
Date is Wed Jul 17 23:21:48 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPR77CMP-R80.20/lib/

******* Warning : te.def had no signature file to compare to this will be considered as a match
vpn_table.def was updated
te.def was updated
===========================================================
Date is Mon Sep 30 12:27:04 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPsuite-R80.20/fw1/lib/

******** implied_rules.def was changed by user, signature didn't match!
===========================================================
Date is Mon Sep 30 12:30:06 2019
HFA index is R80_20_JUMBO_HF
Path is /opt/CPR77CMP-R80.20/lib/
/opt/CPR77CMP-R80.20/lib//vpn_table.def wasn't backed up, the backup file already exists
/opt/CPR77CMP-R80.20/lib//te.def wasn't backed up, the backup file already exists
vpn_table.def was updated
te.def was updated
0 Kudos
Gregory_Link
Contributor
‎2019-10-02 10:13 AM
In response to Gregory_Link

Jump to solution

Additionally, here are the changes I saw on the files it said were not backed up.  Doesn't look like much of anything to me.

vpn_table.def comparevpn_table.def comparete.def comparete.def compare

0 Kudos
Michael_Gabriel
Explorer
‎2019-10-02 09:13 AM
In response to Gregory_Link

Jump to solution

Greg,

On the App/URL Filter tab, go to Applications/Sites --> New -->  Category.  Name it SSL_Bypass.

Same tab, go to Applications/Sites --> New --> Application/Site.  Name it GoToMeeting, click next.

On the next screen, add all of the URLs listed in the following support page: 

https://support.logmeininc.com/gotomeeting

Make sure you use wildcards where indicated.  On next screen give it a category of SSL_Bypass.

I did not find it necessary to whitelist any of the IPs or ports listed, just the URLs.

Create a rule under HTTPS Inspection policy.  Make sure there are NO inspection rules above this bypass rule (all of your bypass rules should be at the top of your policy)

"Some Name" | src:Any | dst:Internet | services: http/https | site category: SSL_Bypass | action: Bypass

 

 

 

0 Kudos
Gregory_Link
Contributor
‎2019-10-02 09:20 AM
In response to Michael_Gabriel

Jump to solution

Yeah, I gotcha.  We have some existing domain bypasses in by site already for other stuff.  Going to severely limit the source on these though as I don't need everyone bypassing these domains.

0 Kudos
_Val_
Admin
Admin
‎2019-10-02 11:15 PM

Jump to solution

It does not work because of certificate pinning.

 

Looks here and act accordingly: https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

 

0 Kudos
Labels