Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
svori
Collaborator
Collaborator
Jump to solution

Apple and HTTPS Inspection

Hi,

I am about to implement HTTPS Inspection but there are some issues with Mac's and software updates.

Current HTTPS Inspect rules bypass 17.0.0.0/8 and itunes.apple.com but still there are some issues.

Are there any plans for an Updatable Apple object or anyone else that has run into this issue that has found a solution ?

1 Solution

Accepted Solutions
Sorin_Gogean
Advisor

Hello @svori ,

 

Can you be more explicit on what are the HTTPS Inspection issues you're facing - more exactly with examples/screenshots ?

 

We've looked into this as we are running an POC to implement apple cache servers, therefore we had to make sure that Apple traffic via CheckPoints were not inspected (certificate substituted).

FWL policies looks like:

Apple_Untitled.png

 

For the HTTPS Inspection, we're bypassing "apple.com" CustomApp object and "c.apple.news" .

Those objects contains:

apple.com c.apple.news

*.aplle.com
.apple.com
.icloud.com
*.icloud.com
appleid.cdn-apple.com
.cdn-apple.com
@*.cdn-apple.com

c.apple.news
.apple.news
*.apple.news


So with that, we were able to see that the Apple cache machine, was able to register the Apple Cloud cache services, and download packages.

 

Ty,

View solution in original post

16 Replies
the_rock
Legend
Legend

Ah, I remember my struggles on this subject with a customer couple of years back who is 95% Apple shop.

What we ended up doing was whitelist followimg:

*apple*
*itunes*

and bunch of Apple IP ranges

Sadly, I wish there were appropriate updatable objects there. Now in all fairness, all other major fw vendors dont have those updatable objects either when it comes to Apple : - (

svori
Collaborator
Collaborator

Thanks, will try that and i hope that someone from Check Point can update us on plans for an Updatable object 🙂

PhoneBoy
Admin
Admin

For us to have an Updatable Object, the vendor has to provide the IP ranges in a machine consumable format.
Without that, it’s impossible for us to accurately determine what IP ranges vendors use for what.

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Did you try to use the HTTPS services recommended bypass Updateable object and Apple Smart Accel Updateable object for exception?

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
svori
Collaborator
Collaborator

Yes Https inspect bypass both updatable objects is used to bypass.

Could not find any Apple related category in Updatable objects list ?

0 Kudos
the_rock
Legend
Legend

I dont think you would find it, as it simply does not exist : - (. Anyway, I gotta get ready to drive to test center to give my CCTE exam, but when I come back, will fire up my https inspection lab in R81.20 and verify all this.

Cheers mate.

Andy

0 Kudos
svori
Collaborator
Collaborator

Thanks, it was a response to GW Albrecht 🙂

Good luck on your exam!

the_rock
Legend
Legend

Tx mate! Yea, I know it was response to our good man Guenther :). Anyway, will check when Im back, hopefully around 11 am EST.

Andy

0 Kudos
G_W_Albrecht
Legend Legend
Legend

It does exist at least since R81.20 / R81.10.00. Please do not state that something simply does not exist if the only reason for the statement is your ignorance ! No harm in telling: I never heard of, i never saw that, i do not believe it exists. But not: Does not exist...

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
the_rock
Legend
Legend

Thats right, I see exact same thing you posted, which does literally nothing lol. I was on the call once with TAC escalations guy and customer and that was pretty much only thing he could find as well. So, factually, okay, I will give it to you, it DOES exist, but its useless 😂

Andy

 

Screenshot_1.png

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Apple.jpg

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Sorin_Gogean
Advisor

Hello @svori ,

 

Can you be more explicit on what are the HTTPS Inspection issues you're facing - more exactly with examples/screenshots ?

 

We've looked into this as we are running an POC to implement apple cache servers, therefore we had to make sure that Apple traffic via CheckPoints were not inspected (certificate substituted).

FWL policies looks like:

Apple_Untitled.png

 

For the HTTPS Inspection, we're bypassing "apple.com" CustomApp object and "c.apple.news" .

Those objects contains:

apple.com c.apple.news

*.aplle.com
.apple.com
.icloud.com
*.icloud.com
appleid.cdn-apple.com
.cdn-apple.com
@*.cdn-apple.com

c.apple.news
.apple.news
*.apple.news


So with that, we were able to see that the Apple cache machine, was able to register the Apple Cloud cache services, and download packages.

 

Ty,

svori
Collaborator
Collaborator

Thank you for sharing this solution 🙂

0 Kudos
the_rock
Legend
Legend

Thanks for sharing @Sorin_Gogean , always great advice! 💪👍

Andy 

0 Kudos
HendrikS
Explorer

Hello there,

Can you show us what is included in your apple software updates object?

We have a simular issue that ipads can no longer recieve updates when inspection is on. however we would like to limit what we exactly open.

0 Kudos
the_rock
Legend
Legend

Me, personally, I just do *apple* and call it a day lol

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events