Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
LuisSP
Contributor

SNI on security gateway 1490

Recently we had trouble accessing some https websites hosted by cloudflare, such sites have in its CN's certificates =sni.cloudflaressl.com, besides in SAN the domain name requested. Here is the list:

  • syscom.mx
  • eleconomista.com.mx
  • tabascohoy.com

 

After review SK's and contact with TAC's, well, there is no much to do:  SNI is not supported on SG 1490 locally management.  TAC's solution is create https exceptions to each website, however there are hundreds, thousands websites outthere with this technology implemented on its webserver, not only hosted by cloudflare, but many other hosting services. Website's list formerly mentionated has grown... and I'm sure will continu growing. 

I want to know how have you dealt with this situation? Do you create exception to each website?

 

Thanks for you support comments.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin

SNI support was added to the 1500 series codebase running R80.20.x.
You may have to exclude by IP.
As far as I know, there are no plans to add SNI support to the 1400 series.
0 Kudos
LuisSP
Contributor

Greetings PhoneBoy.

I appretiated your reply,. Regarding to exclude by IP (unique solution by TAC), I face collateral trouble, if I would have to exclude community.checkpoint.com, nslookup get me next IP address:

nslookup community.checkpoint.com
Respuesta no autoritativa:
Nombre: d2m0sklryvkyy2.cloudfront.net
Addresses:
13.226.214.104
13.226.214.61
13.226.214.41
13.226.214.86
Aliases: community.checkpoint.com
fyrhh23835.lithium.com

but 13.226.214.86 is resolved by lulify.com too:

nslookup lulify.com
Respuesta no autoritativa:
Nombre: lulify.com
Addresses:
13.226.214.126
13.226.214.86
13.226.214.56
13.226.214.46

so, creating a https exception by ip open traffic to lulify.com in this case, what it's not malicious site, but imagine that such website was inside a category not allowed.

Unfortunatetly CheckPoint did throw over its promise to upgrade appliance 1490 to r80.x (unknow reasons).

Thanks again.
0 Kudos
PhoneBoy
Admin
Admin

It was originally planned to put R80.20 on the earlier SMB appliances.
However, it turns out the R80.20+ code requires more resources than is available on the 700/1200R/1400 series.
You may be able to execute a trade-in for a 1590 through your local Check Point office/reseller.
0 Kudos
MikeB
Advisor

Have you tried this?: https://community.checkpoint.com/t5/General-Topics/White-Paper-URL-Filtering-using-SNI-for-HTTPS-web...

 

Should be available on 14xx locally managed

 

 

0 Kudos
LuisSP
Contributor

I tried it, but unfrotunatetly solution expressed in above url do not worked on my case.

Thanks Miguel.
0 Kudos