- Products
- Learn
- Local User Groups
- Partners
- More
This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
- Products
- Learn
- Local User Groups
- Upcoming Events
- Americas
- EMEA
- Czech Republic and Slovakia
- Denmark
- Netherlands
- Germany
- Sweden
- United Kingdom and Ireland
- France
- Spain
- Norway
- Ukraine
- Baltics and Finland
- Greece
- Portugal
- Austria
- Kazakhstan and CIS
- Switzerland
- Romania
- Turkey
- Belarus
- Belgium & Luxembourg
- Russia
- Poland
- Georgia
- DACH - Germany, Austria and Switzerland
- Iberia
- Africa
- Adriatics Region
- Eastern Africa
- Israel
- Nordics
- Middle East and Africa
- Balkans
- Italy
- Bulgaria
- Cyprus
- APAC
- Partners
- More
- ABOUT CHECKMATES & FAQ
- Sign In
- Leaderboard
- Events
AI Security Masters E7:
How CPR Broke ChatGPT's Isolation and What It Means for You
Blueprint Architecture for Securing
The AI Factory & AI Data Center
Call For Papers
Your Expertise. Our Stage
Good, Better, Best:
Prioritizing Defenses Against Credential Abuse
Ink Dragon: A Major Nation-State Campaign
Watch HereCheckMates Go:
CheckMates Fest
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
- CheckMates
- :
- Products
- :
- Hybrid Mesh
- :
- Firewall and Security Management
- :
- Re: Office 365 Bypass Decryption
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Are you a member of CheckMates?
×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Jump to solution
Office 365 Bypass Decryption
I'm creating a firewall policy to support Office 365 traffic and I'm running into an issue (by design) regarding the decryption of Office 365 endpoint traffic. I've enabled HTTPS inspection globally, as well as inspection bypass for Office 365 endpoints, but the challenge I'm running into is that the Checkpoint will still perform SSL decryption on all traffic (because inspection is enabled globally).
Microsoft recommends against decryption of Optimize and Allow category endpoints...Is there any way to bypass decryption (easily) for these endpoints? Ideally using updatable objects?
Obviously a bit of a catch-22 here. We need HTTPS inspection so we can recognize traffic that we'll allow out, but the global decryption settings create an issue for these two endpoint categories.
Any thoughts are appreciated!
1 Solution
Accepted Solutions
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Darren,
Hope you are doing well. My first guess would be that the updateable objects for Microsoft/Office don't include the involved wildcards / FQDN according to sk163595: HTTPS Inspection bypass list object
*.broadcast.skype.com
*shared.officeapps.live.com
Have you tried to create a specific custom application object containing those entries? Then add them to the TLS Inspection policy + bypass.
In previous version you could enable Probe Bypass so the bypass action doesn't inspect even the first packet of the TLS handshake.
However in later version probe bypass was discontinued. I have to perform more research on R80.40 but so far the best way that I found to complete bypass traffic is to not even include those hosts / networks on the SSL/TLS policy.
This approach is difficult to implement on large scale environments and of course it will disable TLS inspection completed on those hosts.
More information here: Outbound SSL Inspection: A war story
____________
https://www.linkedin.com/in/federicomeiners/
https://www.linkedin.com/in/federicomeiners/
5 Replies
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
R80.40 Gateways will allow the use of Updatable Objects in the HTTPS Inspection policy.
In earlier releases, this would have to be manually maintained.
However, there is a script that can be used for this.
In this case, it's in the context of an Encryption Domain, but you can use the group for anything.
https://community.checkpoint.com/t5/Remote-Access-VPN/Route-O365-traffic-local-and-not-in-VPN-tunnel...
In earlier releases, this would have to be manually maintained.
However, there is a script that can be used for this.
In this case, it's in the context of an Encryption Domain, but you can use the group for anything.
https://community.checkpoint.com/t5/Remote-Access-VPN/Route-O365-traffic-local-and-not-in-VPN-tunnel...
This widget could not be displayed.
This widget could not be displayed.
This widget could not be displayed.
Very familiar with the R80.40 enhancement allowing the use of Updatable Objects in the HTTPS inspection policy, and this is working as designed (logs are reporting that O365 endpoints have been bypassed). The challenge, however, is that because HTTPS inspection is enabled globally, the Checkpoint will still perform SSL encrypt/decrypt, evident in the fact that the firewall will replace the SSL certificate.
I can't think of any way to completely bypass SSL encrypt/decrypt functionality, so thought I'd throw this out to the larger community. Attached are a couple of screenshots detailing the issue when testing connectivity from https://connectivity.office.com.
Very familiar with the R80.40 enhancement allowing the use of Updatable Objects in the HTTPS inspection policy, and this is working as designed (logs are reporting that O365 endpoints have been bypassed). The challenge, however, is that because HTTPS inspection is enabled globally, the Checkpoint will still perform SSL encrypt/decrypt, evident in the fact that the firewall will replace the SSL certificate.
I can't think of any way to completely bypass SSL encrypt/decrypt functionality, so thought I'd throw this out to the larger community. Attached are a couple of screenshots detailing the issue when testing connectivity from https://connectivity.office.com.
Very familiar with the R80.40 enhancement allowing the use of Updatable Objects in the HTTPS inspection policy, and this is working as designed (logs are reporting that O365 endpoints have been bypassed). The challenge, however, is that because HTTPS inspection is enabled globally, the Checkpoint will still perform SSL encrypt/decrypt, evident in the fact that the firewall will replace the SSL certificate.
I can't think of any way to completely bypass SSL encrypt/decrypt functionality, so thought I'd throw this out to the larger community. Attached are a couple of screenshots detailing the issue when testing connectivity from https://connectivity.office.com.
Very familiar with the R80.40 enhancement allowing the use of Updatable Objects in the HTTPS inspection policy, and this is working as designed (logs are reporting that O365 endpoints have been bypassed). The challenge, however, is that because HTTPS inspection is enabled globally, the Checkpoint will still perform SSL encrypt/decrypt, evident in the fact that the firewall will replace the SSL certificate.
I can't think of any way to completely bypass SSL encrypt/decrypt functionality, so thought I'd throw this out to the larger community. Attached are a couple of screenshots detailing the issue when testing connectivity from https://connectivity.office.com.
Very familiar with the R80.40 enhancement allowing the use of Updatable Objects in the HTTPS inspection policy, and this is working as designed (logs are reporting that O365 endpoints have been bypassed). The challenge, however, is that because HTTPS inspection is enabled globally, the Checkpoint will still perform SSL encrypt/decrypt, evident in the fact that the firewall will replace the SSL certificate.
I can't think of any way to completely bypass SSL encrypt/decrypt functionality, so thought I'd throw this out to the larger community. Attached are a couple of screenshots detailing the issue when testing connectivity from https://connectivity.office.com.
