Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Charles_Cranefi
Participant

HTTPS Inspection MacOS

Problem:

We have enabled HTTPS inspection on our network via our Checkpoint blades, all is working just fine apart from inspection of MacOS traffic.
Our certificates are trusted system wide and work for most applications, including Safari but Apple applications like iCloud, iMessage, AppStore etc do not work. I believe this is due to certificate pinning.

Error with AppStore

iCloud Error


An obvious solution would be excluding Apple IPs from inspection but we cant because Apple uses the Akamai CDN and therefore the IPs change almost hourly.

Does anybody here have a solution? Is there a way to somehow efficiently whitelist Apples IPs?

Thank you!

Trusted certs in the system keychain

0 Kudos
10 Replies
Ryan_St__Germai
Advisor

You could try an HTTPS inspection bypass for the "Apple Services" application...

0 Kudos
Charles_Cranefi
Participant

Unless I am missing something, you can only bypass HTTPS based on site categories and not applications. So Apple falls into the “Web Services Provider” category, but bypassing that would bypass inspection for all web service providers?

0 Kudos
_Val_
Admin
Admin

Charles_Cranefi
Participant

Thank you for these links! The first one applies to iOS devices but is definitely helpful for us.

The second link is spot on for our issue but we are worried about excluding entire subnets of Akamai. Would excluding such a large range of IPs also exclude us from inspecting dangerous content? Eg; Non Apple services on Akamai CDN

0 Kudos
Timothy_Hall
Legend Legend
Legend

R80.20 and later features "Updatable Objects" that includes Geo Countries and Azure/AWS networks to help avoid the need to exclude constantly-changing swaths of IP addresses in situations like this.  There is not an updatable object for Apple networks to my knowledge, but that sure would be a good RFE...

https://www.checkpoint.com/rfe/rfe.htm 

--
"IPS Immersion Training" Self-paced Video Class
Now Available at http://www.maxpowerfirewalls.com

Gateway Performance Optimization R81.20 Course
now available at maxpowerfirewalls.com
Charles_Cranefi
Participant

Thanks for pointing this out, I have submitted an RFE.
I don't think Updateable Objects can be excluded from HTTPS inspection policies at this time? Is that correct?
I have another RFE open for that!

Charlie

0 Kudos
_Val_
Admin
Admin

Correct, you cannot use updatable objects in HTTPS inspection rulebase at this moment

0 Kudos
_Val_
Admin
Admin

Apple services are not included into the updatable objects.

0 Kudos
_Val_
Admin
Admin

As the SK says, Apple owns the whole segment. It should not interfere with other services

0 Kudos
Danny
Champion Champion
Champion

It's all fixed in the latest R77.30 JHF (Take 345). Just check the list of resolved issues.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events