This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
PhoneBoy
Admin
Admin
‎2020-02-20 03:52 PM

New updatable object for HTTPS Inspection: HTTPS Services Bypass

We are glad to share a new usability enhancement for our HTTPS Inspection customers.
Starting from R80.40, HTTPS Inspection customers will be able to consolidate their certificate pinned apps rules using managed updatable objects.

We've collected a list of HTTPS services which are known to be used in scenarios where HTTPS Inspection is unable to establish the trust between the client and the Security Gateway and is therefore unable to inspect the traffic.
These HTTPS services are part of "HTTPS services - bypass" updatable object.

image001.png

You can choose to add this object to HTTPS Inspection policy as a bypass rule to avoid connectivity issues and/or to the Access policy as a drop rule to block these services explicitly.
For further information please refer to sk163595

If you'd like to see some additional services added to this, let us know!

22 Replies
Danny
MVP Gold
MVP Gold
‎2020-02-20 04:38 PM

Thanks Check Point!

0 Kudos
RoD
Contributor
‎2020-02-22 12:38 AM
In response to Danny

Please tell me what is the difference between HTTPS Whitelisting and HTTPS Services Bypass ?

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-22 12:36 PM
In response to RoD

The HTTPS Inspection policy determines what traffic is "man in the middled" so you can see and make security decisions on the unencrypted contents.
The actions for the rules in that rulebase are either "Inspect" or "Bypass."
Not sure where whitelisting enters into the discussion.
0 Kudos
RoD
Contributor
‎2020-02-22 01:01 PM
In response to PhoneBoy

HTTPS Whitelisting is using also for bypass HTTPS inspection, if I want that HTTPS inspection bypass some  domain like goldmansachs.com  , what is a best way to bypass HTTPS inspection for this domain, using HTTPS Whitelisting or HTTPS services - bypass ? Thanks

Preview file
74 KB
0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-22 06:12 PM
In response to RoD

You create a custom application with the domain(s) you wish to bypass and add a rule for that domain in the HTTPS Inspection policy.
The "whitelist" that document refers to is one we maintain and cannot be updated by you.
0 Kudos
RoD
Contributor
‎2020-02-23 12:14 AM
In response to PhoneBoy

OK, Thank you

0 Kudos
Garrett_DirSec
Advisor
‎2020-02-22 07:52 AM

 Thanks for insight.    Are there plans to ADD this to R80.30 as part of future JHA jumbo update?

thanks -GA

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-22 12:31 PM
In response to Garrett_DirSec

Use of Updatable Objects in the HTTPS Inspection policy required some major infrastructure improvements.
I don't believe these will be backported to earlier releases.
Garrett_DirSec
Advisor
‎2020-02-22 04:19 PM
In response to PhoneBoy

Thanks @PhoneBoy 

0 Kudos
Uriel_F
Employee
Employee
‎2020-02-23 06:16 AM
In response to Garrett_DirSec

Hi,
Adding support for updatable objects in R80.30 releases won't be possible, the support for for updatable objects requires the new HTTPS Inspection policy that was embedded to the SmartConsole, and this change is to big and complicated for the jumbo releases.

Garrett_DirSec
Advisor
‎2020-02-23 08:28 AM
In response to Uriel_F

thanks for the insight!

0 Kudos
Ryan_Ryan
Advisor
‎2020-02-23 03:09 PM

This is a positive update for HTTPS inspection thanks!

Are there any improvements where a client certificate is used? Right now on R80.30 we have to add a bypass rule by IP address in rule position #1 to allow client cert to work. Being able to do this by domain name would be a huge benefit (especially when the application is hosted in AWS/Azure!)

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-23 05:18 PM
In response to Ryan_Ryan

I don’t believe any vendor handles TLS Client Auth very well.
Sites that require this must be bypassed.
You can create a custom application definition with the domain in question and use that in the rule—should work in R80.30.
0 Kudos
Ryan_Ryan
Advisor
‎2020-02-24 02:03 PM
In response to PhoneBoy

Has sk66405 been officially "fixed"? I guess it depends on whether the client cert based application supports SNI or not as to whether we can bypass by domain name.

I might have to setup a test server and give it a try. 

 

 

0 Kudos
PhoneBoy
Admin
Admin
‎2020-02-24 02:10 PM
In response to Ryan_Ryan

I believe so if SNI happens early enough in the negotiation that we can bypass it in this case.
Also, the SK does not mention R80.30, but it's worth double-checking.
0 Kudos
_Val_
Admin
Admin
‎2020-02-24 11:27 PM
In response to Ryan_Ryan

Just curious, what is to fix in sk66405, @Ryan_Ryan. The SK says, client certificates are not supported with HTTPSi

0 Kudos
Ryan_Ryan
Advisor
‎2020-02-25 01:23 PM
In response to _Val_

That SK described a special method for bypassing client cert, the requirement was it had to be done by IP address (domain not supported) and it has to be in the first rule in the inspection policy. ie. so putting the IP address in a bypass rule in position #2 will still break the connection. Our real issue was one of the services we used was hosted out of AWS so we had to manually put every AWS IP address into rule number 1 so we have had to bypass a massive chunk of the Internet for the sake of one server. 

0 Kudos
_Val_
Admin
Admin
‎2020-02-25 11:30 PM
In response to Ryan_Ryan

I understand you entirely. In R80.40, it is possible to use FQDN objects in the HTTPSi rulebase. It should resolve your issue. 

I have also reached out to the SK owner to clarify why this option is not mentioned in the SK for R80.40. With R80.30 and below, there is no option for domain objects to be used.

_Val_
Admin
Admin
‎2020-02-26 10:10 AM
In response to Ryan_Ryan

@Ryan_Ryan , I have double-checked with R&D.

You can use FQDN object to represent your asset on AWS in the HTTPSi bypass rule, with R80.40 and up. SK is being modified to reflect that.

RickLin
Advisor
Advisor
‎2020-02-24 02:30 AM
In response to Ryan_Ryan

You can try to reference sk165094 (Custom Applications/Sites - Best practice).

Joseph_Audet
MVP Silver CHKP MVP Silver CHKP
MVP Silver CHKP
‎2020-02-24 06:39 AM

Will this eventually include the O365 'Optimize' category from their RSS feed to bypass HTTPS inspection? 

 

Reference article:

https://docs.microsoft.com/en-us/archive/blogs/onthewire/new-office-365-url-categories-to-help-you-o...

Thanks!

0 Kudos
_Val_
Admin
Admin
‎2020-02-24 06:50 AM
In response to Joseph_Audet

I think it is a good idea, but the question should be directed to R&D

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events