This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
LuisSP
Collaborator
‎2020-06-04 04:59 PM

SNI on security gateway 1490

Recently we had trouble accessing some https websites hosted by cloudflare, such sites have in its CN's certificates =sni.cloudflaressl.com, besides in SAN the domain name requested. Here is the list:

  • syscom.mx
  • eleconomista.com.mx
  • tabascohoy.com

 

After review SK's and contact with TAC's, well, there is no much to do:  SNI is not supported on SG 1490 locally management.  TAC's solution is create https exceptions to each website, however there are hundreds, thousands websites outthere with this technology implemented on its webserver, not only hosted by cloudflare, but many other hosting services. Website's list formerly mentionated has grown... and I'm sure will continu growing. 

I want to know how have you dealt with this situation? Do you create exception to each website?

 

Thanks for you support comments.

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-06-04 10:49 PM

SNI support was added to the 1500 series codebase running R80.20.x.
You may have to exclude by IP.
As far as I know, there are no plans to add SNI support to the 1400 series.
0 Kudos
LuisSP
Collaborator
‎2020-06-05 06:20 PM
In response to PhoneBoy

Greetings PhoneBoy.

I appretiated your reply,. Regarding to exclude by IP (unique solution by TAC), I face collateral trouble, if I would have to exclude community.checkpoint.com, nslookup get me next IP address:

nslookup community.checkpoint.com
Respuesta no autoritativa:
Nombre: d2m0sklryvkyy2.cloudfront.net
Addresses:
13.226.214.104
13.226.214.61
13.226.214.41
13.226.214.86
Aliases: community.checkpoint.com
fyrhh23835.lithium.com

but 13.226.214.86 is resolved by lulify.com too:

nslookup lulify.com
Respuesta no autoritativa:
Nombre: lulify.com
Addresses:
13.226.214.126
13.226.214.86
13.226.214.56
13.226.214.46

so, creating a https exception by ip open traffic to lulify.com in this case, what it's not malicious site, but imagine that such website was inside a category not allowed.

Unfortunatetly CheckPoint did throw over its promise to upgrade appliance 1490 to r80.x (unknow reasons).

Thanks again.
0 Kudos
PhoneBoy
Admin
Admin
‎2020-06-05 08:57 PM
In response to LuisSP

It was originally planned to put R80.20 on the earlier SMB appliances.
However, it turns out the R80.20+ code requires more resources than is available on the 700/1200R/1400 series.
You may be able to execute a trade-in for a 1590 through your local Check Point office/reseller.
0 Kudos
MikeB
Advisor
‎2020-06-06 02:49 PM

Have you tried this?: https://community.checkpoint.com/t5/General-Topics/White-Paper-URL-Filtering-using-SNI-for-HTTPS-web...

 

Should be available on 14xx locally managed

 

 

0 Kudos
LuisSP
Collaborator
‎2020-06-08 01:36 PM
In response to MikeB

I tried it, but unfrotunatetly solution expressed in above url do not worked on my case.

Thanks Miguel.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    li.common.scroll-to.top