Windows & Apple Software Updates without HTTPS Ins...

Maik · ‎2021-01-14

Hello guys,

I was wondering whether it is possible to have custom applications or url filtering objects in order to achieve reachability of the apple & microsoft software update servers?

The official applications "Apple Software Update" and "Windows Update" seem to only work with an existing HTTPS Inspection setup. As url filtering and application control (some applications) can be done with pattern matching against the SNI / CN of the certificate I was wondering whether this can be done for the mentioned update servers. Unfortunately I am not aware of the setup of apples or microsofts update servers and whether SNI / CN comparison can be used in such a case.

Maybe someone already ran into the same issue or heard of a possible solution.

Thanks and best regards,

Maik

[Edit: As always I forgot some details... the question is related to R80.20 Take 118 - VSX + MDM setup]

PhoneBoy · ‎2021-01-14

For the SNI verification stuff to work properly, you may need to enable HTTPS Inspection with an any any bypass rule.
Not sure if they fixed that in that R80.20 JHF or a future one.
They did in R80.40.

Maik · ‎2021-01-15

Seems like it is supported since R80.20 Jumbo HotFix - Ongoing Take 117 (13 October 2019), at least related to the Jumbo Patch notes. Is there some kind of list which application control "objects" can be used with this feature but HTTPS inspection disabled (or set to bypass all)?

Maik · ‎2021-01-18

**ping**

Would also appreciate feedback in any way, like for example that this approach does not make much sense and why (in regards to the mentioned objects/update servers).

Mraybone · ‎2022-03-09

Yes, some guidance on how this is possible, or even if it is at all, would be nice. My goal is to allow all servers access to a list of supplied windows update URLs (not IP ranges, as that information is not available).

Chris_Atkinson · ‎2022-03-09

The most recent enhancement I'm aware of in this regard is outlined in sk163595.

CCSM R77/R80/ELITE

Mraybone · ‎2022-03-09

Thanks for the reply, unfortunately I only have the firewall blade available to me.

PhoneBoy · ‎2022-03-09

With only Firewall blade available, there isn't much you can do.
Your only option is by IP address as even looking at URLs or SNI requires App Control.

Mraybone · ‎2022-03-10

I was afraid of that, thanks for the info.

Mraybone · ‎2022-03-11

We have got the application control blade installed now, but the rule for Windows Update doesn't seem to be doing much. Any tips?

G_W_Albrecht · ‎2022-03-11

See sk163595: Check Point Solution for R80.40 and above We collected a list of HTTPS services that are known to be used in pinned scenarios. These HTTPS services are part of the "HTTPS services - bypass" updatable object.

In previous versions, users can only use the “Bypass HTTPS inspection of all traffic to all known software update services” checkbox.

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Mraybone · ‎2022-03-11

Ok thanks, this is interesting - we have R80.40, but I can't find the "HTTPS services - bypass" object...

I have actually narrowed this down to the fact that it is only HTTPS that isn't working, so I'm almost there! 🙂

G_W_Albrecht · ‎2022-03-11

Click the '+' button under the Source/Destination column, choose import 'Updatable Objects', and then you can choose the relevant"HTTPS services - bypass" - see sk131852 !

CCSP - CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist

Mraybone · ‎2022-03-11

I found the object, I can even see things in the logs being successfully bypassed but windows updates still won't work

Are you a member of CheckMates?

Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)