This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
ABOUT CHECKMATES & FAQ
Create a Post
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Help

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Wyatt_Felger
Explorer
‎2019-11-08 08:51 AM

HTTPS Inspection Bypass GooglePlay

We have scanguns that are having trouble getting to the GooglePlay store. It appears based on errors that GooglePlay does not use the Android Certificate store to use our https inspection certificate.

I have opened up the clients to bypass the following URL's but am still having issues:

*.google.com

google.com

*.googleapis.com

googleapis.com

 

I don't see other google entries in the inspection and according to the logs the clients are getting bypassed, but it hasn't been until I bypass all https inspection for the specific client that it is fully able to connect to the GooglePlay store, register, and download files.

 

 

0 Kudos
4 Replies
PhoneBoy
Admin
Admin
‎2019-11-08 09:24 AM

What version of code?
If you’re not in R80.30 or R80.20 JHF 117+, I strongly encourage upgrading.
The added support for SNI should help with this.
0 Kudos
Wyatt_Felger
Explorer
‎2019-11-08 09:37 AM
In response to PhoneBoy

R77.30 🤐 - We are working to move to R80, but not there yet.

 

0 Kudos
PhoneBoy
Admin
Admin
‎2019-11-09 02:44 AM
In response to Wyatt_Felger

You should check the non-Google HTTPS entries as they may provide a clue at other things you may need to set bypass rules for.
0 Kudos
FedericoMeiners
Advisor
‎2019-11-09 04:20 AM

Most google apps have SSL Pinning. In other words they will not work if a non google certificate is presented. The following solution applies to R77.30 and R80.10. R80.20 an .30 have new SSL inspection engines and don't use these flags anymore.

When you perform SSL Inspection, even if you set it to bypass the engine stills checks the Client Hello of the SSL Handshake, this is enough to break some applications.

Together with your exceptions I suggest you to set up Enhaced SSL Bypass (Probe bypass detailed on sk104717 ) default is off and you can set it on the fly:

on: fw ctl set int enhanced_ssl_inspection 1
off: fw ctl set int enhanced_ssl_inspection 0

For more information reffer to the provided SK, keep in mind that you may have some compatibility issues with sites using SNI.

If you still have issues I would suggest you to not inspect at all the mobile devices LAN. Don't use a bypass action, just be sure to not include the prefix on your SSL Policy.

You can find more information in my other post about SSL Inspection: https://community.checkpoint.com/t5/General-Topics/Outbound-SSL-Inspection-A-war-story/m-p/58647

Let us know how it goes 

___

____________
https://www.linkedin.com/in/federicomeiners/
0 Kudos