cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post

HTTPS inspection bypass R80.10

Hi team.

I'm trying to add https inspection bypass rules with custom site category with full URL or regex in this category. 

But it doesn't work and Check Point inspects this traffic.

Any ideas how to make it work?

17 Replies
Danny
Pearl

Re: HTTPS inspection bypass R80.10

A bit more information would be helpful (Version you are using, the url you want to bypass, your regex etc.).

Usually, when URL and regex definitions don't work to bypass HTTPS websites, you'll be required to bypass the IP address of the website.

Follow these steps:

  1. Create network objects to represent ranges on IP addresses used by your clients.
  2. Configure the above network objects in the HTTPS Inspection Bypass rule.
  3. Install the policy.

Related SKs: sk108762, sk122158, sk114160, sk114419, sk113935,sk132913

0 Kudos

Re: HTTPS inspection bypass R80.10

Hi Danny.

Thank's but I know about bypass by destination IP.

This method is too time-consuming because web sites has multiple IP addresses. So I need to bypass inspection with wildcard in URL, for example *.site.com

0 Kudos
Danny
Pearl

Re: HTTPS inspection bypass R80.10

Which website would you like to bypass?

0 Kudos

Re: HTTPS inspection bypass R80.10

For example vtb.ru with all subdomains

0 Kudos
Danny
Pearl

Re: HTTPS inspection bypass R80.10

vtb.ru owns just a single /24 network: 193.164.146.0/24

So if you create a network object to reflect vtb.ru's network and bypass it within your HTTPS Inspection policy you should be all good.

0 Kudos

Re: HTTPS inspection bypass R80.10

Thank you

0 Kudos
Danny
Pearl

Re: HTTPS inspection bypass R80.10

The 'Thank you' badge can be found right below the Actions link.

ED
Silver

Re: HTTPS inspection bypass R80.10

Hi @Danny 

How did you find out that vtb.ru owns that single /24 network? 

0 Kudos

Re: HTTPS inspection bypass R80.10

I have the same problem where the sites are inspected even though I have a custom bypass application with a list of URLs using regex. The URLs still get inspected and break my connection.

My requirement is to bypass the following.

*.oms.opinsights.azure.com
*.blob.core.windows.net
*.azure-automation.net
*.ods.opinsights.azure.com
winatp-gw-cus.microsoft.com
winatp-gw-eus.microsoft.com
winatp-gw-neu.microsoft.com
crl.microsoft.com
ctldl.windowsupdate.com
events.data.microsoft.com
uk.vortex-win.data.microsoft.com
uk-v20.events.data.microsoft.com
winatp-gw-uks.microsoft.com
winatp-gw-ukw.microsoft.com

What are my options as currently, I can't give my organisation a working solution?

0 Kudos

Re: HTTPS inspection bypass R80.10

Does anyone have any ideas on how to resolve the above issues?

0 Kudos

Re: HTTPS inspection bypass R80.10

Enable module probe bypass (sk104717)

 

Run: fw ctl set int bypass_on_enhanced_ssl_inspection 1 In $FWDIR/modules/fwkern.conf, add this line: bypass_on_enhanced_ssl_inspection=1

0 Kudos

Re: HTTPS inspection bypass R80.10

Hi Alessandro,

Was this in response to my issue? If it was, I've been there and felt the pain of enabling probe bypass.

I'm still waiting for CP to supply me with the SNI fix to supplement enabling probe bypass but this hasn't happened as yet.

0 Kudos

Re: HTTPS inspection bypass R80.10

yes, was....

what is your take on r80.10 ?

 

0 Kudos

Re: HTTPS inspection bypass R80.10

It's ever-changing. Currently 169.

No, the list above is from Microsoft. I'd created an application using the proper Regex format.

 

0 Kudos

Re: HTTPS inspection bypass R80.10

I have two clusters with r80.10 take 142, probe bypass on and my regex like this (^|.*\.)*microsoft\.com

 

working fine...

0 Kudos

Re: HTTPS inspection bypass R80.10

Hi Darran, your regex are like you wrote above?
0 Kudos

Re: HTTPS inspection bypass R80.10

enable module of probe bypass

Run: fw ctl set int bypass_on_enhanced_ssl_inspection 1
In $FWDIR/modules/fwkern.conf, add this line: bypass_on_enhanced_ssl_inspection=1
0 Kudos