This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Humberto_AB
Explorer
‎2024-03-25 11:29 AM
Jump to solution

Harmony SASE (perimeter 81) may break some app functionality

Hi, I have reciently tried harmony sase while participation on a POC for a client, and while I was building the enviroment I noticed that git stopped working, while trobleshooting the issue I encountered the followin error message:

SSL certificate problem: self-signed certificate in certificate chain

also NPM(node package manager) gave me a similar issue while trying to run npm install

the way I solved this issues temporally is that I disable SSL verification on both git and npm, but I think that the issue is related on the generation of self signed certificates used for perimeter 81 functionality. has anyone had a similar issue? I have tried and installed certificates from checkpoint firewalls before and I didnt had this issue on the past. disabling ssl checks is not recomended  and the ssl certificate shuld be trusted, where is the perimeter 81 cert stored? is tere something  on the roadmap so this dosnt have to be manually configured on the future?

1 Solution

Accepted Solutions
rlopes
Employee
Employee
‎2024-03-27 07:01 PM
In response to Humberto_AB
Jump to solution

Hi @Humberto_AB, you will likely need Bypass Rules for those:
https://support.perimeter81.com/docs/secure-web-gateway#bypass-rules

 

View solution in original post

(1)
5 Replies
Humberto_AB
Explorer
‎2024-03-26 04:37 PM
Jump to solution

after further investigation I can confirm that the problem is perimeter 81, specifically the perimeter81 secure web gateway certificate, after uninstalling this certificate and stopping perimeter 81, functionality was restored as normal, is this intended? or can it be categorized as a bug?

as of now what I have tested that is affected is:

  • npm (node package manager): cant install any libraries unless ssl verification  is disabled
  • git can't clone, fetch, push, pull, or interact with a repo in any way, unless ssl verification is disabled
  • docker cant install any libraries required to build a dockerfile unless ssl verification is disabled

in my opinion disabling ssl verification is a bad security practice alternatively the certificate culd be marked as trusted by every app but I havent tried that yet.

0 Kudos
rlopes
Employee
Employee
‎2024-03-27 07:01 PM
In response to Humberto_AB
Jump to solution

Hi @Humberto_AB, you will likely need Bypass Rules for those:
https://support.perimeter81.com/docs/secure-web-gateway#bypass-rules

 

(1)
Iain_K
Participant
‎2024-06-18 09:47 PM
In response to rlopes
Jump to solution

Is there any way to see the domain that was attempted to be accessed by the application (which failed) through the P81 console? Useful for quickly adding bypass rules.

JamieT
Explorer
‎2024-09-02 01:19 AM
In response to Iain_K
Jump to solution

Iain_K, I also think it would be very useful to have some logging available to identify where certificate pinning issues occur in the application.

As easy as the fix is, it can be an onerous task to identify the URLs which are causing issues, especially when they're called by background processes.

cryptochrome
Collaborator
‎2024-04-19 10:29 AM
In response to Humberto_AB
Jump to solution

What you are seeing is a common issue that everybody and every product faces that inspects SSL/TLS connections. While it works for most sites and apps, some of them use certificate pinning. The app will only accept a specific certificate, and when not present, refuse to connect. 

To circumvent this, as others have already pointed out, those destinations need to be excempt from SSL inspection by adding them to a bypass rule. 

 

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Trending Discussions
Harmony SASE geo block question
Upcoming Events

    CheckMates Events