- Products
- Learn
- Local User Groups
- Partners
- More
Check Point Jump-Start Online Training
Now Available on CheckMates for Beginners!
Welcome to Maestro Masters!
Talk to Masters, Engage with Masters, Be a Maestro Master!
ZTNA Buyer’s Guide
Zero Trust essentials for your most valuable assets
The SMB Cyber Master
Boost your knowledge on Quantum Spark SMB gateways!
Check Point's Cyber Park is Now Open
Let the Games Begin!
As YOU DESERVE THE BEST SECURITY
Upgrade to our latest GA Jumbo
CheckFlix!
All Videos In One Space
Hi,
Did someone manage to configure SSL Inspection bypass for Signal app on R80.30 based on custom application?
I have ssl enhanced inspection enabled, 1 rule with custom application (textsecure-service.whispersystems.org) with action bypass, and second rule to inspect everything. Signal traffic always hits second rule.
In logs I can find:
First SSL Inspection log: textsecure-service.whispersystems.org Detected
Second SSL Inpsection log: Matched Category: Uncategorized, HTTPS Inspected
So it looks that aplication (url) is detected properly but NGFW still want's to inspect it.
Best Regads,
Maciej
Regarding to this Signal support article you will need to bypass wildcard URLs, https and UDP.
Allowing all UDP Traffic will make your firewall vulnerable to the UDP hole punching attack.
This works fine with other URL's on our FW's.
Is your https inspection enabled? I think so.
More read here
R80.x - Performance Tuning Tip - SNI vs. https inspection
or here:
HTTPS Inspection and website categorization improvements introduced in R80.30
If that doesn't help! Please some pictures of the https settings.
Hi,
as requested adding config and logs screenshots.
Best Regards,
Maciej
Hi,
There is certificate pinning. But I don't want to inspect. Bypass should work as I see certificate cn.
Yes, bypass works for IP addresses.
According to: sk104717 in R80.30 probe bypass was introduced - enabled by default.
Bypass mechanism was improved to better reflect policy and resolve the above limitations:
Limitation.
HTTPS Inspection will not work for sites that require SNI (Server Name Indication) extension in the SSL "Client hello" packet. (Server Name Indication is an extension to the Transport Layer Security (TLS) computer networking protocol by which a client indicates which hostname it is attempting to connect to at the start of the handshaking process.)
There is SNI inside Client Hello, but I do not want to inpsect. I want to bypass so this limitation is irrelevant.
Best Regards
Maciej
Hi there,
I have few ideas. First of all inspection rule any any is not recommended. Please try to define source and destination.
For some reason this url is not categorized as custom app but is matched as uncategorized. In custom app (signal) settings tick the box urls are defined as regular expressions and modify url to .*textsecure-service.whispersystems.org.*.
I see that server is using self-signed certificate. Try importing it to trusted CA list. I see you have drop traffic from untrusted servers unchecked, but it is quick try so worth checking.
* Server certificate:
* subject: C=US; ST=California; O=Open Whisper Systems; OU=Open Whisper Systems; CN=textsecure-service.whispersystems.org
* start date: Feb 15 17:38:17 2019 GMT
* expire date: Mar 12 18:20:20 2029 GMT
* issuer: C=US; ST=California; L=San Francisco; O=Open Whisper Systems; OU=Open Whisper Systems; CN=TextSecure
* SSL certificate verify result: self signed certificate in certificate chain (19), continuing anyway.
Any news or solutions to that?
About CheckMates
Learn Check Point
Advanced Learning
YOU DESERVE THE BEST SECURITY