Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Highlighted
Admin
Admin

New updatable object for HTTPS Inspection: HTTPS Services Bypass

We are glad to share a new usability enhancement for our HTTPS Inspection customers.
Starting from R80.40, HTTPS Inspection customers will be able to consolidate their certificate pinned apps rules using managed updatable objects.

We've collected a list of HTTPS services which are known to be used in scenarios where HTTPS Inspection is unable to establish the trust between the client and the Security Gateway and is therefore unable to inspect the traffic.
These HTTPS services are part of "HTTPS services - bypass" updatable object.

image001.png

You can choose to add this object to HTTPS Inspection policy as a bypass rule to avoid connectivity issues and/or to the Access policy as a drop rule to block these services explicitly.
For further information please refer to sk163595

If you'd like to see some additional services added to this, let us know!

22 Replies
Highlighted
Champion
Champion

Thanks Check Point!

0 Kudos
Reply
Highlighted
Participant

Please tell me what is the difference between HTTPS Whitelisting and HTTPS Services Bypass ?

Thanks

0 Kudos
Reply
Highlighted
Admin
Admin

The HTTPS Inspection policy determines what traffic is "man in the middled" so you can see and make security decisions on the unencrypted contents.
The actions for the rules in that rulebase are either "Inspect" or "Bypass."
Not sure where whitelisting enters into the discussion.
0 Kudos
Reply
Highlighted
Participant

HTTPS Whitelisting is using also for bypass HTTPS inspection, if I want that HTTPS inspection bypass some  domain like goldmansachs.com  , what is a best way to bypass HTTPS inspection for this domain, using HTTPS Whitelisting or HTTPS services - bypass ? Thanks

0 Kudos
Reply
Highlighted
Admin
Admin

You create a custom application with the domain(s) you wish to bypass and add a rule for that domain in the HTTPS Inspection policy.
The "whitelist" that document refers to is one we maintain and cannot be updated by you.
0 Kudos
Reply
Highlighted
Participant

OK, Thank you

0 Kudos
Reply
Highlighted

 Thanks for insight.    Are there plans to ADD this to R80.30 as part of future JHA jumbo update?

thanks -GA

0 Kudos
Reply
Highlighted
Admin
Admin

Use of Updatable Objects in the HTTPS Inspection policy required some major infrastructure improvements.
I don't believe these will be backported to earlier releases.
Highlighted

Thanks @PhoneBoy 

0 Kudos
Reply
Highlighted
Employee+
Employee+

Hi,
Adding support for updatable objects in R80.30 releases won't be possible, the support for for updatable objects requires the new HTTPS Inspection policy that was embedded to the SmartConsole, and this change is to big and complicated for the jumbo releases.

Highlighted

thanks for the insight!

0 Kudos
Reply
Highlighted
Specialist

This is a positive update for HTTPS inspection thanks!

Are there any improvements where a client certificate is used? Right now on R80.30 we have to add a bypass rule by IP address in rule position #1 to allow client cert to work. Being able to do this by domain name would be a huge benefit (especially when the application is hosted in AWS/Azure!)

 

0 Kudos
Reply
Highlighted
Admin
Admin

I don’t believe any vendor handles TLS Client Auth very well.
Sites that require this must be bypassed.
You can create a custom application definition with the domain in question and use that in the rule—should work in R80.30.
0 Kudos
Reply
Highlighted
Specialist

Has sk66405 been officially "fixed"? I guess it depends on whether the client cert based application supports SNI or not as to whether we can bypass by domain name.

I might have to setup a test server and give it a try. 

 

 

0 Kudos
Reply
Highlighted
Admin
Admin

I believe so if SNI happens early enough in the negotiation that we can bypass it in this case.
Also, the SK does not mention R80.30, but it's worth double-checking.
0 Kudos
Reply
Highlighted
Admin
Admin

Just curious, what is to fix in sk66405, @Ryan_Ryan. The SK says, client certificates are not supported with HTTPSi

0 Kudos
Reply
Highlighted
Specialist

That SK described a special method for bypassing client cert, the requirement was it had to be done by IP address (domain not supported) and it has to be in the first rule in the inspection policy. ie. so putting the IP address in a bypass rule in position #2 will still break the connection. Our real issue was one of the services we used was hosted out of AWS so we had to manually put every AWS IP address into rule number 1 so we have had to bypass a massive chunk of the Internet for the sake of one server. 

0 Kudos
Reply
Highlighted
Admin
Admin

I understand you entirely. In R80.40, it is possible to use FQDN objects in the HTTPSi rulebase. It should resolve your issue. 

I have also reached out to the SK owner to clarify why this option is not mentioned in the SK for R80.40. With R80.30 and below, there is no option for domain objects to be used.

Highlighted
Admin
Admin

@Ryan_Ryan , I have double-checked with R&D.

You can use FQDN object to represent your asset on AWS in the HTTPSi bypass rule, with R80.40 and up. SK is being modified to reflect that.

Highlighted
Advisor

You can try to reference sk165094 (Custom Applications/Sites - Best practice).

Highlighted
Employee
Employee

Will this eventually include the O365 'Optimize' category from their RSS feed to bypass HTTPS inspection? 

 

Reference article:

https://docs.microsoft.com/en-us/archive/blogs/onthewire/new-office-365-url-categories-to-help-you-o...

Thanks!

0 Kudos
Reply
Highlighted
Admin
Admin

I think it is a good idea, but the question should be directed to R&D