This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
David_C1
Advisor
‎2026-02-13 11:20 AM

HTTPS Inspection and MS/Office365, once more

Hi everyone,

Curious, here in early 2026, what people are implementing for inspection/bypass for access to Office365 (SharePoint, Teams, Outlook, etc). Back when we first implemented HTTPS Inspection, we ended up putting in a number of bypass rules for various MS/Office365 services. I'm trying to clean this up - ideally we'd inspect - having DPI for files moving back and forth between OneDrive would be ideal from a Threat Prevention perspective, and many Applications Signatures say they require HTTPS Inspection for application detection (e.g. Microsoft Teams). On the other hand...if it ain't broke, don't mess with it. So I'm looking for what other people have currently in place and how that is working for you and your users.

Thanks,

Dave

0 Kudos
10 Replies
PhoneBoy
Admin
Admin
‎2026-02-13 11:31 AM

You might not need to do DPI on Office 365 traffic if you're using Email and Collaboration, since some security functions can be done as part of that product. 

the_rock
MVP Diamond
MVP Diamond
‎2026-02-14 06:19 AM

I will tell you what I do in the lab, but Im sure this is NOT something many people would ever do. I use wildcards and literally exempt anything *outlook* *teams* and *microsoft*. Otherwise, you may find yourself troubleshooting this for hours on end trying to figure out what needs to be allowed/exempted.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
David_C1
Advisor
‎2026-02-14 12:23 PM
In response to the_rock

Andy and PhoneBoy,

Appreciate the responses. FWIW we do use some MS native tools for threat prevention, but I wouldn't mind some more layered defense, as long as it doesn't impact customers. We pretty much bypass all M365 traffic via a couple of unwieldy rules, and I am planning to clean them up. Before I do this, however, if anyone is inspecting M365 traffic, I'd like to hear your experiences.

Dave

the_rock
MVP Diamond
MVP Diamond
‎2026-02-14 12:25 PM
In response to David_C1

Hey Dave,

I know customer that used to do that, not any longer. Im almost positive the reason they stopped was because it eas causing them too many headaches along the way, since they always had to end up bypassing things.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Nüüül
Advisor
Advisor
‎2026-02-15 08:21 AM

 

Out of M365 Network Principles M$ says avoid any deeper inspection (which TLS Inspection definitively is).

Click to Expand
Bypass proxies and inspection devicesConfigure browsers with PAC files that send Microsoft 365 requests directly to egress points.
Configure edge routers and firewalls to permit Microsoft 365 traffic without inspection.		Minimize latency
Reduce load on network devices

I´d stick to MSXFAQ ( M365 und SSL Inspektion, saying avoid inspecting endpoints ( M365 Endpoints Worldwide - API ) that are flagged with "Optimize" and "Allow" as category. "optimize" endpoints you could try with TLS Inspection.

 

AFAIK - with this you will not get hands on files that are moved around in OneDrive and co. But enabling TLS Inspection will pretty sure cause problems with the application. 

 

Sharepoint and Teams chances are good, you won´t get a good hand on on network level.

Other vendors have things like "tenant control" to stick users to their own tenant or control where they might access.. not sure if Check Point offers something in that direction. 

 

 

(1)
the_rock
MVP Diamond
MVP Diamond
‎2026-02-15 06:01 PM
In response to Nüüül

Excellent advice @Nüüül 

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
David_C1
Advisor
‎2026-02-16 05:27 AM
In response to Nüüül

This is the path I am headed - excluding those ranges marked with Optimize and Allow. Ideally, Check Point would break down the updatable objects for Office365 Services based on these tags - otherwise I'm stuck with some manual work, verifying when these "optimize" and "allow" ranges are updated and changing my rules based on that. I will likely end up using a broader stroke - just bypassing essentially everything in the Office365 Services updatable objects group.

the_rock
MVP Diamond
MVP Diamond
‎2026-02-16 05:43 AM
In response to David_C1

I agree 100%, seems totally logical to me as well.

Best,
Andy
"Have a great day and if its not, change it"
0 Kudos
Nüüül
Advisor
Advisor
‎2026-02-16 10:50 AM
In response to David_C1

here are several scripts and so on that you could use to build your own updatable objects. perhaps you would need to adopt them a bit for using those flags.

 

but yes, thats some extra work.

0 Kudos
Lesley
MVP Gold
MVP Gold
‎2026-02-16 01:55 PM

Dave,

Do you run R82? There are many new features that make your life for easy. (learning mode: https://support.checkpoint.com/results/sk/sk182679 )

And certificate pinning:

Starting from R82, several new features were added to further address the challenges posed by certificate-pinned applications:

  • Full Fail-Open Mode: Automatically detects failures in the HTTPS Inspection process due to client-side issues like pinned certificates. When a failure is detected, the connection is added to an exception list, ensuring zero connectivity issues for end-users.
  • Allow Lists: In addition to the well-known HTTPS services, this list includes known certificate-pinned applications identified through learning and analyzing similar connection behaviors, allowing users to decide whether to bypass them.

Second tip: you can bypass the 'recommended' websites listed in https://support.checkpoint.com/results/sk/sk163595

Start building new policy maybe with a few test clients, or your own machine.

So rule 1 is your client and bypass and rule 2 inspect. 

-------
Please press "Accept as Solution" if my post solved it 🙂
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events