This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Maik
Advisor
‎2021-01-14 06:53 AM

Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

Hello guys,

I was wondering whether it is possible to have custom applications or url filtering objects in order to achieve reachability of the apple & microsoft software update servers?

The official applications "Apple Software Update" and "Windows Update" seem to only work with an existing HTTPS Inspection setup. As url filtering and application control (some applications) can be done with pattern  matching against the SNI / CN of the certificate I was wondering whether this can be done for the mentioned update servers. Unfortunately I am not aware of the setup of apples or microsofts update servers and whether SNI / CN comparison can be used in such a case.

Maybe someone already ran into the same issue or heard of a possible solution.

Thanks and best regards,

Maik

 

[Edit: As always I forgot some details... the question is related to R80.20 Take 118 - VSX + MDM setup]

0 Kudos
13 Replies
PhoneBoy
Admin
Admin
‎2021-01-14 09:04 PM

For the SNI verification stuff to work properly, you may need to enable HTTPS Inspection with an any any bypass rule.
Not sure if they fixed that in that R80.20 JHF or a future one.
They did in R80.40.

Maik
Advisor
‎2021-01-15 04:02 AM
In response to PhoneBoy

Seems like it is supported since R80.20 Jumbo HotFix - Ongoing Take 117 (13 October 2019), at least related to the Jumbo Patch notes. Is there some kind of list which application control "objects" can be used with this feature but HTTPS inspection disabled (or set to bypass all)?

0 Kudos
Maik
Advisor
‎2021-01-18 01:46 AM
In response to Maik

**ping**

Would also appreciate feedback in any way, like for example that this approach does not make much sense and why (in regards to the mentioned objects/update servers).

0 Kudos
Mraybone
Explorer
‎2022-03-09 04:01 AM
In response to Maik

Yes, some guidance on how this is possible, or even if it is at all, would be nice.  My goal is to allow all servers access to a list of supplied windows update URLs (not IP ranges, as that information is not available).

0 Kudos
Chris_Atkinson
Employee Employee
Employee
‎2022-03-09 06:51 AM
In response to Mraybone

The most recent enhancement I'm aware of in this regard is outlined in sk163595.

CCSM R77/R80/ELITE
0 Kudos
Mraybone
Explorer
‎2022-03-09 07:18 AM
In response to Chris_Atkinson

Thanks for the reply, unfortunately I only have the firewall blade available to me.

0 Kudos
PhoneBoy
Admin
Admin
‎2022-03-09 02:01 PM
In response to Mraybone

With only Firewall blade available, there isn't much you can do.
Your only option is by IP address as even looking at URLs or SNI requires App Control. 

0 Kudos
Mraybone
Explorer
‎2022-03-10 12:28 AM
In response to PhoneBoy

I was afraid of that, thanks for the info.

0 Kudos
Mraybone
Explorer
‎2022-03-11 01:19 AM
In response to PhoneBoy

We have got the application control blade installed now, but the rule for Windows Update doesn't seem to be doing much.  Any tips?

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-03-11 06:45 AM
In response to Mraybone

See sk163595Check Point Solution for R80.40 and above We collected a list of HTTPS services that are known to be used in pinned scenarios. These HTTPS services are part of the "HTTPS services - bypass" updatable object.

In previous versions, users can only use the “Bypass HTTPS inspection of all traffic to all known software update services” checkbox.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Mraybone
Explorer
‎2022-03-11 07:06 AM
In response to G_W_Albrecht

Ok thanks, this is interesting - we have R80.40, but I can't find the "HTTPS services - bypass" object...

I have actually narrowed this down to the fact that it is only HTTPS that isn't working, so I'm almost there! 🙂

0 Kudos
G_W_Albrecht
Legend Legend
Legend
‎2022-03-11 08:17 AM
In response to Mraybone

Click the '+' button under the Source/Destination column, choose import 'Updatable Objects', and then you can choose the relevant"HTTPS services - bypass" - see sk131852 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Mraybone
Explorer
‎2022-03-11 08:06 AM
In response to G_W_Albrecht

I found the object, I can even see things in the logs being successfully bypassed but windows updates still won't work

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events