This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
svori
Collaborator
Collaborator
‎2023-03-24 03:12 AM
Jump to solution

Apple and HTTPS Inspection

Hi,

I am about to implement HTTPS Inspection but there are some issues with Mac's and software updates.

Current HTTPS Inspect rules bypass 17.0.0.0/8 and itunes.apple.com but still there are some issues.

Are there any plans for an Updatable Apple object or anyone else that has run into this issue that has found a solution ?

1 Solution

Accepted Solutions
Sorin_Gogean
Advisor
‎2023-03-24 06:04 AM
Jump to solution

Hello @svori ,

 

Can you be more explicit on what are the HTTPS Inspection issues you're facing - more exactly with examples/screenshots ?

 

We've looked into this as we are running an POC to implement apple cache servers, therefore we had to make sure that Apple traffic via CheckPoints were not inspected (certificate substituted).

FWL policies looks like:

Apple_Untitled.png

 

For the HTTPS Inspection, we're bypassing "apple.com" CustomApp object and "c.apple.news" .

Those objects contains:

apple.com c.apple.news

*.aplle.com
.apple.com
.icloud.com
*.icloud.com
appleid.cdn-apple.com
.cdn-apple.com
@*.cdn-apple.com

c.apple.news
.apple.news
*.apple.news


So with that, we were able to see that the Apple cache machine, was able to register the Apple Cloud cache services, and download packages.

 

Ty,

View solution in original post

16 Replies
the_rock
Legend
Legend
‎2023-03-24 03:23 AM
Jump to solution

Ah, I remember my struggles on this subject with a customer couple of years back who is 95% Apple shop.

What we ended up doing was whitelist followimg:

*apple*
*itunes*

and bunch of Apple IP ranges

Sadly, I wish there were appropriate updatable objects there. Now in all fairness, all other major fw vendors dont have those updatable objects either when it comes to Apple : - (

svori
Collaborator
Collaborator
‎2023-03-24 03:34 AM
In response to the_rock
Jump to solution

Thanks, will try that and i hope that someone from Check Point can update us on plans for an Updatable object 🙂

PhoneBoy
Admin
Admin
‎2023-03-24 01:22 PM
In response to svori
Jump to solution

For us to have an Updatable Object, the vendor has to provide the IP ranges in a machine consumable format.
Without that, it’s impossible for us to accurately determine what IP ranges vendors use for what.

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-03-24 03:53 AM
Jump to solution

Did you try to use the HTTPS services recommended bypass Updateable object and Apple Smart Accel Updateable object for exception?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
svori
Collaborator
Collaborator
‎2023-03-24 03:57 AM
In response to G_W_Albrecht
Jump to solution

Yes Https inspect bypass both updatable objects is used to bypass.

Could not find any Apple related category in Updatable objects list ?

0 Kudos
the_rock
Legend
Legend
‎2023-03-24 04:23 AM
In response to svori
Jump to solution

I dont think you would find it, as it simply does not exist : - (. Anyway, I gotta get ready to drive to test center to give my CCTE exam, but when I come back, will fire up my https inspection lab in R81.20 and verify all this.

Cheers mate.

Andy

0 Kudos
svori
Collaborator
Collaborator
‎2023-03-24 04:29 AM
In response to the_rock
Jump to solution

Thanks, it was a response to GW Albrecht 🙂

Good luck on your exam!

the_rock
Legend
Legend
‎2023-03-24 04:40 AM
In response to svori
Jump to solution

Tx mate! Yea, I know it was response to our good man Guenther :). Anyway, will check when Im back, hopefully around 11 am EST.

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-03-24 06:05 AM
In response to the_rock
Jump to solution

It does exist at least since R81.20 / R81.10.00. Please do not state that something simply does not exist if the only reason for the statement is your ignorance ! No harm in telling: I never heard of, i never saw that, i do not believe it exists. But not: Does not exist...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend
‎2023-03-24 07:59 AM
In response to G_W_Albrecht
Jump to solution

Thats right, I see exact same thing you posted, which does literally nothing lol. I was on the call once with TAC escalations guy and customer and that was pretty much only thing he could find as well. So, factually, okay, I will give it to you, it DOES exist, but its useless 😂

Andy

 

Screenshot_1.png

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2023-03-24 06:01 AM
In response to svori
Jump to solution

Apple.jpg

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Sorin_Gogean
Advisor
‎2023-03-24 06:04 AM
Jump to solution

Hello @svori ,

 

Can you be more explicit on what are the HTTPS Inspection issues you're facing - more exactly with examples/screenshots ?

 

We've looked into this as we are running an POC to implement apple cache servers, therefore we had to make sure that Apple traffic via CheckPoints were not inspected (certificate substituted).

FWL policies looks like:

Apple_Untitled.png

 

For the HTTPS Inspection, we're bypassing "apple.com" CustomApp object and "c.apple.news" .

Those objects contains:

apple.com c.apple.news

*.aplle.com
.apple.com
.icloud.com
*.icloud.com
appleid.cdn-apple.com
.cdn-apple.com
@*.cdn-apple.com

c.apple.news
.apple.news
*.apple.news


So with that, we were able to see that the Apple cache machine, was able to register the Apple Cloud cache services, and download packages.

 

Ty,

svori
Collaborator
Collaborator
‎2023-03-26 11:36 PM
In response to Sorin_Gogean
Jump to solution

Thank you for sharing this solution 🙂

0 Kudos
the_rock
Legend
Legend
‎2023-03-27 04:51 AM
In response to Sorin_Gogean
Jump to solution

Thanks for sharing @Sorin_Gogean , always great advice! 💪👍

Andy 

0 Kudos
HendrikS
Explorer
‎2024-08-05 03:44 AM
In response to Sorin_Gogean
Jump to solution

Hello there,

Can you show us what is included in your apple software updates object?

We have a simular issue that ipads can no longer recieve updates when inspection is on. however we would like to limit what we exactly open.

0 Kudos
the_rock
Legend
Legend
‎2024-08-05 07:11 AM
In response to HendrikS
Jump to solution

Me, personally, I just do *apple* and call it a day lol

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events