This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Austin_Ponten
Participant
Participant
‎2023-05-15 01:26 AM
Jump to solution

Apple services not working with HTTPS inspection

Hi, First post so I will do my best 🙂

 

The environment is R80.40 Take196 

The issue:

We are trying to perform HTTPS Inspection for our trusted client networks for a customer. The problem arises when Apple per their post here https://support.apple.com/en-us/HT210060 state "Attempts to perform content inspection on encrypted communications between Apple devices and services will result in a dropped connection to preserve platform security and user privacy."

 

So, we created exceptions for this in the policy. I followed the guidelines listed in these:

https://community.checkpoint.com/t5/Security-Gateways/Apple-and-HTTPS-Inspection/m-p/176059/highligh...

https://support.checkpoint.com/results/sk/sk108191

https://support.checkpoint.com/results/sk/sk112994

 

The First two links did not help, as the redirects via AKAMAI Tech did not get caught by the Bypass exceptions no matter how many *apple.com domains or certificates were added. 

 

The last link where in step 3 it states to:

"Create a Network object that specifies the relevant AKAMAI network (based on the example above - 88.221.0.0/16)"

Does in fact make the exception for inspection work, but my client nor I find this as a valid solution as Apple is not the only tenant for AKAMAI Tech. 

 

The question I present to the community is: How can I perform content inspection on ONLY Apple-related traffic WITHOUT compromising my internal client networks?

 

I can provide additional information if needed, and thanks for reading my first post 🙂 

 

-A

37 Replies
Austin_Ponten
Participant
Participant
‎2023-05-16 07:14 AM
In response to G_W_Albrecht
Jump to solution

Interesting, The symptoms might be similar but I checked the SKs and my Gates and it doesn't show the same errors. 

-A

0 Kudos
Austin_Ponten
Participant
Participant
‎2023-05-16 07:37 AM
In response to the_rock
Jump to solution

Another concern I'm having is the double wildcard approach here. I'm still confused why it's now working even if it is redirected via the CDN AKAMAI Tech, but what about all the non-apple company-related Apple domains such as https://usapple.org/ ? 

The original idea was to try and only find exceptions for traffic towards Apple inc but with this approach, I will be bypassing any domain with the word "apple" and not that I think there could be a lot of malicious apple-named domains out there, I'm just curious what your thoughts are on this?

0 Kudos
the_rock
Legend
Legend
‎2023-05-16 07:44 AM
In response to Austin_Ponten
Jump to solution

I will tell you this and you can think, examine, take, twist it (whatever verb lol) for what its worth. So, I cant even count any longer how many times I was on the phone with customers who use https inspection and urlf/appc blades and we are talking to TAC and no matter what we tried to do from that recommended sk (cant recall sk now, but it pops up when you add *domainname* I suggested) , absolutely nothing worked. After we try my suggestion, works 100% of the time. Now, is it perfect solution? Of course NOT...but, would you rather spend hours and days on end trying to make it work "recommended" way or do it the way it works and call it a day?

Andy

0 Kudos
Austin_Ponten
Participant
Participant
‎2023-05-16 07:50 AM
In response to the_rock
Jump to solution

Fair point, I appreciate the input and the honesty. After weeks worth of troubleshooting this thing and finally have an (almost)

a working solution, I'm starting to agree with your sentiment 🙂

-A

0 Kudos
the_rock
Legend
Legend
‎2023-05-16 07:57 AM
In response to Austin_Ponten
Jump to solution

I am always 100% honest with people...no point BS-ing and pretending. Truth has to be told, as it will always come out. Hey, here is the best example...everyone knows who late Steve Jobs was. Did he lie and try to portray Apple as greatest company in the world back in the day? Of course he did not, because he knew the truth...so what did he do? He invented the phone that revolutionized the world and propelled Apple to first trillion $ company in the world. I think I rest my case : - )

@Austin_Ponten If you need help with this, always happy to do remote session mate.

Cheers,

Andy

0 Kudos
the_rock
Legend
Legend
‎2023-05-15 10:07 AM
Jump to solution

Forgot to add, sorry to "bombard" you with updates, but you may also want to add *jamf*, though thats Apple MDM, so might not be needed, but just in case.

Andy

0 Kudos
Bob_Zimmerman
Authority
Authority
‎2023-05-15 01:19 PM
In response to the_rock
Jump to solution

Jamf is a whole separate company which makes mobile device management software. A lot of companies use their software to manage Apple devices, but there is no business connection between Apple and Jamf.

0 Kudos
the_rock
Legend
Legend
‎2023-05-15 01:21 PM
In response to Bob_Zimmerman
Jump to solution

I agree, it is separate company, but when I talked to them before about bypass https inspection issue, they did mention that customers had to add their sites as well to the list...just saying. Maybe not needed often, but it does happen.

Andy

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events
    Top