Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
PhoneBoy
Admin
Admin

New updatable object for HTTPS Inspection: HTTPS Services Bypass

We are glad to share a new usability enhancement for our HTTPS Inspection customers.
Starting from R80.40, HTTPS Inspection customers will be able to consolidate their certificate pinned apps rules using managed updatable objects.

We've collected a list of HTTPS services which are known to be used in scenarios where HTTPS Inspection is unable to establish the trust between the client and the Security Gateway and is therefore unable to inspect the traffic.
These HTTPS services are part of "HTTPS services - bypass" updatable object.

image001.png

You can choose to add this object to HTTPS Inspection policy as a bypass rule to avoid connectivity issues and/or to the Access policy as a drop rule to block these services explicitly.
For further information please refer to sk163595

If you'd like to see some additional services added to this, let us know!

22 Replies
Danny
Champion Champion
Champion

Thanks Check Point!

0 Kudos
RoD
Contributor

Please tell me what is the difference between HTTPS Whitelisting and HTTPS Services Bypass ?

Thanks

0 Kudos
PhoneBoy
Admin
Admin

The HTTPS Inspection policy determines what traffic is "man in the middled" so you can see and make security decisions on the unencrypted contents.
The actions for the rules in that rulebase are either "Inspect" or "Bypass."
Not sure where whitelisting enters into the discussion.
0 Kudos
RoD
Contributor

HTTPS Whitelisting is using also for bypass HTTPS inspection, if I want that HTTPS inspection bypass some  domain like goldmansachs.com  , what is a best way to bypass HTTPS inspection for this domain, using HTTPS Whitelisting or HTTPS services - bypass ? Thanks

0 Kudos
PhoneBoy
Admin
Admin

You create a custom application with the domain(s) you wish to bypass and add a rule for that domain in the HTTPS Inspection policy.
The "whitelist" that document refers to is one we maintain and cannot be updated by you.
0 Kudos
RoD
Contributor

OK, Thank you

0 Kudos
Garrett_DirSec
Advisor

 Thanks for insight.    Are there plans to ADD this to R80.30 as part of future JHA jumbo update?

thanks -GA

0 Kudos
PhoneBoy
Admin
Admin

Use of Updatable Objects in the HTTPS Inspection policy required some major infrastructure improvements.
I don't believe these will be backported to earlier releases.
Garrett_DirSec
Advisor

Thanks @PhoneBoy 

0 Kudos
Uriel_F
Employee
Employee

Hi,
Adding support for updatable objects in R80.30 releases won't be possible, the support for for updatable objects requires the new HTTPS Inspection policy that was embedded to the SmartConsole, and this change is to big and complicated for the jumbo releases.

Garrett_DirSec
Advisor

thanks for the insight!

0 Kudos
Ryan_Ryan
Advisor

This is a positive update for HTTPS inspection thanks!

Are there any improvements where a client certificate is used? Right now on R80.30 we have to add a bypass rule by IP address in rule position #1 to allow client cert to work. Being able to do this by domain name would be a huge benefit (especially when the application is hosted in AWS/Azure!)

 

0 Kudos
PhoneBoy
Admin
Admin

I don’t believe any vendor handles TLS Client Auth very well.
Sites that require this must be bypassed.
You can create a custom application definition with the domain in question and use that in the rule—should work in R80.30.
0 Kudos
Ryan_Ryan
Advisor

Has sk66405 been officially "fixed"? I guess it depends on whether the client cert based application supports SNI or not as to whether we can bypass by domain name.

I might have to setup a test server and give it a try. 

 

 

0 Kudos
PhoneBoy
Admin
Admin

I believe so if SNI happens early enough in the negotiation that we can bypass it in this case.
Also, the SK does not mention R80.30, but it's worth double-checking.
0 Kudos
_Val_
Admin
Admin

Just curious, what is to fix in sk66405, @Ryan_Ryan. The SK says, client certificates are not supported with HTTPSi

0 Kudos
Ryan_Ryan
Advisor

That SK described a special method for bypassing client cert, the requirement was it had to be done by IP address (domain not supported) and it has to be in the first rule in the inspection policy. ie. so putting the IP address in a bypass rule in position #2 will still break the connection. Our real issue was one of the services we used was hosted out of AWS so we had to manually put every AWS IP address into rule number 1 so we have had to bypass a massive chunk of the Internet for the sake of one server. 

0 Kudos
_Val_
Admin
Admin

I understand you entirely. In R80.40, it is possible to use FQDN objects in the HTTPSi rulebase. It should resolve your issue. 

I have also reached out to the SK owner to clarify why this option is not mentioned in the SK for R80.40. With R80.30 and below, there is no option for domain objects to be used.

_Val_
Admin
Admin

@Ryan_Ryan , I have double-checked with R&D.

You can use FQDN object to represent your asset on AWS in the HTTPSi bypass rule, with R80.40 and up. SK is being modified to reflect that.

RickLin
Advisor
Advisor

You can try to reference sk165094 (Custom Applications/Sites - Best practice).

Joseph_Audet
Ambassador
Ambassador

Will this eventually include the O365 'Optimize' category from their RSS feed to bypass HTTPS inspection? 

 

Reference article:

https://docs.microsoft.com/en-us/archive/blogs/onthewire/new-office-365-url-categories-to-help-you-o...

Thanks!

0 Kudos
_Val_
Admin
Admin

I think it is a good idea, but the question should be directed to R&D

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events