Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Moudar
Advisor
Jump to solution

Still drop

Hi,

I have created a rule to allow all IPads to reach to .apple.com domain. The problem is that not all IPads are reaching to that domain, but some still drop, this is my rule:

ipad to apple.JPG

Source: Ipad network

destination: .apple.com domain

services and application: any

Action:accept

Track:log

The IPad network is 10.10.32.0/19. After adding that rule some IPads are accepted to reach .apple.com:

accept to 17.JPG

 And some still drop:

drop to 17..JPG

So why some are still dropping? They are reaching to the Cleanup rule 59.12, where 59.3 is to accept all connections to Apple?!

59 is an Inline layer where IPad network is in the source of it.

What do I miss here?!

0 Kudos
1 Solution

Accepted Solutions
the_rock
Legend
Legend

Just allow 17.0.0.0/8 subnet, that will fix it, as thats what Apple uses.

https://news.ycombinator.com/item?id=3341349

Otherwise, make sure urlf and appc blades are enabled and follow what Guenther suggested, screenshots are there, its pretty straight forward...you need to use built in applications in smart console, just type apple when adding it in the rule and bunch of stuff will pop up.

Andy

View solution in original post

12 Replies
G_W_Albrecht
Legend Legend
Legend

https://community.checkpoint.com/t5/Security-Gateways/Apple-and-HTTPS-Inspection/m-p/176039

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
(1)
the_rock
Legend
Legend

What @G_W_Albrecht is your best process to follow...now, IF you dont use urlf blade, then domain objects is fine, but make sure it says .*.apple.com and fqdn option is unchecked, otherwise, it may not match all needed sub-domains.

Andy

0 Kudos
Moudar
Advisor

When trying to make it *.apple.com i get this:

apple.JPG

Now my domain object looks like this:

apple1.JPG

0 Kudos
Moudar
Advisor

What if URL and application blades are active, is there any better way to do that ?

0 Kudos
the_rock
Legend
Legend

Yes, if those are enabled, please follow what @G_W_Albrecht suggested.

Andy

0 Kudos
the_rock
Legend
Legend

Maybe you missed . in my post : -)

I mentioned .*.apple.com, but you can also do .*apple.com

Every domain object MUST start with .

Hope that helps

Andy

Please refer to below link:

https://support.checkpoint.com/results/sk/sk120633

0 Kudos
Moudar
Advisor

Now it looks like this:

apple.JPG

But still have drops!

apple1.JPG

I don't really understand what @G_W_Albrecht suggestion is?!

How should I use app and url blades to achieve the same?

0 Kudos
the_rock
Legend
Legend

Just allow 17.0.0.0/8 subnet, that will fix it, as thats what Apple uses.

https://news.ycombinator.com/item?id=3341349

Otherwise, make sure urlf and appc blades are enabled and follow what Guenther suggested, screenshots are there, its pretty straight forward...you need to use built in applications in smart console, just type apple when adding it in the rule and bunch of stuff will pop up.

Andy

Moudar
Advisor

It works fine now with 17.0.0.0/8 

URL and application, do you mean enable all these?

apple.JPG

 

 

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Could well be that only using 17.0.0.0/8 works for you, i would try before doing any other configuration !

 

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
the_rock
Legend
Legend

Not really, if that range works, then its good. I would leave it as is then.

Andy

0 Kudos
the_rock
Legend
Legend

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events