This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
D_TK
Advisor
2 weeks ago
Jump to solution

R82 - ssl inspection auto bypass question

Hi all - 

We've been using ssl inspection since pretty much the first version it was available so obviously our ssl inspect bypass rule is pretty long with specific sites that can't be inspected for whatever reasons.  The idea of having the gateway automatically make the decision if the site can be inspected or not, and if not, bypass it from ssl inspection is pretty awesome and much needed.  

Question:  What happens if the client machine doesn't even have the ssl inspect MiTM cert installed - would that user be able to surf all sites because clearly it would not be able to inspect any ssl traffic and all of it would fail open into bypass.  Or, is having the MiTM cert installed mandatory to even get to the point where the gateway makes the inspection decision?

 Thanks.

 

 

0 Kudos
2 Solutions

Accepted Solutions
the_rock
MVP Gold
MVP Gold
2 weeks ago
In response to the_rock
Jump to solution

@D_TK Just tested it, since I had to finish something else and it was exactly the behavior as you described in scenario 2, both on R81.20 and R82, latest jumbos.

Andy

View solution in original post

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
Jump to solution

The first connection to the site will fail.
However, the gateway will see that the client/server combination cannot perform HTTPS Inspection because of not having the MITM certificate, because the app uses Certificate Pinning (thus won't accept the MITM certificate), or some other error.
Future connections to that site will be "bypassed."

View solution in original post

8 Replies
the_rock
MVP Gold
MVP Gold
2 weeks ago
Jump to solution

Hey @D_TK ,

Its not mandatory to have that cert on clients machine, but then it sort of defeats the purpose of ssl inspection. If they dont have it, they would be seeing cert error on literally every site they visit. Personally, in my lab, I dont use those auto bypass features, I just bypass what I want to myself.

Mind you, Fortinet has had that forever now, cant recall whats included, but I believe its banking and medical categories and something else. But again, Im not a big fan of it, just my opinion.

Andy

0 Kudos
D_TK
Advisor
2 weeks ago
In response to the_rock
Jump to solution

sure, not having the cert in pre-r82 mode makes surfing unusable as pretty much all sites are ssl and the user would get no clean page loads.  My Q is specific to what happens in client fail open mode if a client didn't have the cert.  It's got to be one of these two scenarios:

1)  Everything gets ssl inspect bypassed due to client fail-open, and pages load fine (uninspected).

2) works like it would currently without client fail-open enabled - every single page gets cert/privacy errors.

 

I would think that it would work like scenario 1, but i did test one laptop and every page threw the ssl error.  I just want to ensure that this is the expected result from being in client fail-open mode, and the client does not have the MiTM cert installed.

0 Kudos
the_rock
MVP Gold
MVP Gold
2 weeks ago
In response to D_TK
Jump to solution

I can confirm tomorrow in the lab, but Im 99.99% sure it would be scenario 2.

Andy

0 Kudos
the_rock
MVP Gold
MVP Gold
2 weeks ago
In response to the_rock
Jump to solution

@D_TK Just tested it, since I had to finish something else and it was exactly the behavior as you described in scenario 2, both on R81.20 and R82, latest jumbos.

Andy

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
Jump to solution

The first connection to the site will fail.
However, the gateway will see that the client/server combination cannot perform HTTPS Inspection because of not having the MITM certificate, because the app uses Certificate Pinning (thus won't accept the MITM certificate), or some other error.
Future connections to that site will be "bypassed."

the_rock
MVP Gold
MVP Gold
2 weeks ago
In response to PhoneBoy
Jump to solution

Its weird, cause when I tested in the R82 lab. EVERY site gave me cert warning and if I chose to continue, site would open.

Andy

0 Kudos
PhoneBoy
Admin
Admin
2 weeks ago
In response to the_rock
Jump to solution

That cert warning is the first connection 😛

(1)
the_rock
MVP Gold
MVP Gold
2 weeks ago
In response to PhoneBoy
Jump to solution

You got me there LOL

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events