This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
spinazdoo
Participant
‎2024-10-28 02:54 AM

HTTPS Inspection for Mobile Devices

Hi Checkmates!

We would like to enable HTTPS Inspection to have better security with URLF and App Control policy to tackle users query to inappropriate website and social media sites.

Due to mandatory install certificate on every devices, how about for mobile devices like android, ipad, etc? Is it mandatory to install in every mobile devices to block them access social media sites? 

The objectives is have equal policy and protection for laptop and mobile devices. If facebook or X blocked via URL Filtering, we must blocking it as well in mobile devices application. Thank you!

Labels
9 Replies
oa_munich
Contributor
‎2024-10-28 03:25 AM

Most mobile applications use certificate pinning, and they won't trust your certificate in the first place (facebook, reddit, ...).

If you'd like the devices to trust decrypted and resigned traffic, you'd have to install certificates on your mobile devices too. MDM solutions, such as InTune, AirWatch, etc can help with that. If you "only" would like to deny certain traffic/URLS, the mobile devices won't get to see the certificate you will be resigning with - so no need to install it, though you need to make sure you bypass allowed traffic, which in turn won't get inspected / resigned.

spinazdoo
Participant
‎2024-10-28 05:46 AM
In response to oa_munich

Thank you for your insight @oa_munich!

So, it is almost impossible to block mobile application via firewall, right?

I was thinking about cert pinning before, however, i am looking for any idea from CP firewall how to block such social media application and access social media via browser in mobile devices.

oa_munich
Contributor
‎2024-10-28 06:22 AM
In response to spinazdoo

No, you absolutely can! The mobile device will attempt to open a connection to the target, the firewall would inspect it  and block it. The mobile device won't get to see the inspected packets (which are decrypted and re-encrypted using your certificate), therefore it won't need your certificate.

For the permitted traffic - if you intend to not only bypass what you inspect  - you'd need to distribute your certificate, so mobile devices would trust the traffic you permit.

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-10-28 05:58 PM
In response to spinazdoo

Personally, I dont know if that can work with the fw itself, never tested it, but we have a client that uses harmony mobile for mobile phones in particular and works really well with https inspection, as they used MS intune to distribute the cert that way to the users' phones.

Andy

Best,
Andy
0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-28 06:43 AM

While you will get better (more accurate) results with HTTPS Inspection, you can certainly block certain kinds of traffic without it as the App Control/URLF policy reads the SNI of the relevant traffic.
Make sure you block QUIC in the policy.

oa_munich
Contributor
‎2024-10-28 01:05 PM
In response to PhoneBoy

@PhoneBoy wrote:

Make sure you block QUIC in the policy.

Btw, according to the release notes:

  • Added support of HTTP/3 protocol over QUIC transport (UDP) for Network Security, Threat Prevention, and Sandboxing

Not sure what this means exactly, but QUIC seems to be partially inspected in R82 now.

0 Kudos
PhoneBoy
Admin
Admin
‎2024-10-28 02:54 PM
In response to oa_munich

We have support for QUIC in R82, yes.
However, I presumed the original poster isn't yet running R82.

otto_w
Participant
‎2024-10-28 03:54 PM
In response to PhoneBoy

nice

0 Kudos
the_rock
MVP Platinum
MVP Platinum
‎2024-10-29 03:26 AM
In response to PhoneBoy

Yes, I tested it in the lab, works well.

Andy

Best,
Andy
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events