This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Charles_Cranefi
Participant
‎2019-03-05 04:06 AM

HTTPS Inspection MacOS

Problem:

We have enabled HTTPS inspection on our network via our Checkpoint blades, all is working just fine apart from inspection of MacOS traffic.
Our certificates are trusted system wide and work for most applications, including Safari but Apple applications like iCloud, iMessage, AppStore etc do not work. I believe this is due to certificate pinning.

Error with AppStore

iCloud Error


An obvious solution would be excluding Apple IPs from inspection but we cant because Apple uses the Akamai CDN and therefore the IPs change almost hourly.

Does anybody here have a solution? Is there a way to somehow efficiently whitelist Apples IPs?

Thank you!

Trusted certs in the system keychain

0 Kudos
10 Replies
Ryan_St__Germai
Advisor
‎2019-03-05 04:17 AM

You could try an HTTPS inspection bypass for the "Apple Services" application...

0 Kudos
Charles_Cranefi
Participant
‎2019-03-05 04:45 AM
In response to Ryan_St__Germai

Unless I am missing something, you can only bypass HTTPS based on site categories and not applications. So Apple falls into the “Web Services Provider” category, but bypassing that would bypass inspection for all web service providers?

0 Kudos
Charles_Cranefi
Participant
‎2019-03-05 05:12 AM
In response to _Val_

Thank you for these links! The first one applies to iOS devices but is definitely helpful for us.

The second link is spot on for our issue but we are worried about excluding entire subnets of Akamai. Would excluding such a large range of IPs also exclude us from inspecting dangerous content? Eg; Non Apple services on Akamai CDN

0 Kudos
Timothy_Hall
Legend Legend
Legend
‎2019-03-05 06:28 AM
In response to Charles_Cranefi

R80.20 and later features "Updatable Objects" that includes Geo Countries and Azure/AWS networks to help avoid the need to exclude constantly-changing swaths of IP addresses in situations like this.  There is not an updatable object for Apple networks to my knowledge, but that sure would be a good RFE...

https://www.checkpoint.com/rfe/rfe.htm 

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Attend my Gateway Performance Optimization R81.20 course
CET (Europe) Timezone Course Scheduled for July 1-2
Charles_Cranefi
Participant
‎2019-03-05 06:39 AM
In response to Timothy_Hall

Thanks for pointing this out, I have submitted an RFE.
I don't think Updateable Objects can be excluded from HTTPS inspection policies at this time? Is that correct?
I have another RFE open for that!

Charlie

0 Kudos
_Val_
Admin
Admin
‎2019-03-05 07:35 AM
In response to Charles_Cranefi

Correct, you cannot use updatable objects in HTTPS inspection rulebase at this moment

0 Kudos
_Val_
Admin
Admin
‎2019-03-05 07:33 AM
In response to Timothy_Hall

Apple services are not included into the updatable objects.

0 Kudos
_Val_
Admin
Admin
‎2019-03-05 07:36 AM
In response to Charles_Cranefi

As the SK says, Apple owns the whole segment. It should not interfere with other services

0 Kudos
Danny
Champion Champion
Champion
‎2019-03-05 01:46 PM

It's all fixed in the latest R77.30 JHF (Take 345). Just check the list of resolved issues.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top