Re: HTTPS inspection bypass R80.10

Dmitry_Barantse · ‎2018-09-12

Hi team.

I'm trying to add https inspection bypass rules with custom site category with full URL or regex in this category.

But it doesn't work and Check Point inspects this traffic.

Any ideas how to make it work?

Danny · ‎2018-09-12

A bit more information would be helpful (Version you are using, the url you want to bypass, your regex etc.).

Usually, when URL and regex definitions don't work to bypass HTTPS websites, you'll be required to bypass the IP address of the website.

Follow these steps:

Create network objects to represent ranges on IP addresses used by your clients.
Configure the above network objects in the HTTPS Inspection Bypass rule.
Install the policy.

Related SKs: sk108762, sk122158, sk114160, sk114419, sk113935,sk132913

Dmitry_Barantse · ‎2018-09-13

Hi Danny.

Thank's but I know about bypass by destination IP.

This method is too time-consuming because web sites has multiple IP addresses. So I need to bypass inspection with wildcard in URL, for example *.site.com

Danny · ‎2018-09-13

Which website would you like to bypass?

Dmitry_Barantse · ‎2018-09-13

For example vtb.ru with all subdomains

Danny · ‎2018-09-13

vtb.ru owns just a single /24 network: 193.164.146.0/24

So if you create a network object to reflect vtb.ru's network and bypass it within your HTTPS Inspection policy you should be all good.

Dmitry_Barantse · ‎2018-09-13

Thank you

Danny · ‎2018-09-13

The 'Thank you' badge can be found right below the Actions link.

ED · ‎2019-03-27

Hi @Danny

How did you find out that vtb.ru owns that single /24 network?

Darran_Lebas · ‎2019-01-21

I have the same problem where the sites are inspected even though I have a custom bypass application with a list of URLs using regex. The URLs still get inspected and break my connection.

My requirement is to bypass the following.

*.oms.opinsights.azure.com
*.blob.core.windows.net
*.azure-automation.net
*.ods.opinsights.azure.com
winatp-gw-cus.microsoft.com
winatp-gw-eus.microsoft.com
winatp-gw-neu.microsoft.com
crl.microsoft.com
ctldl.windowsupdate.com
events.data.microsoft.com
uk.vortex-win.data.microsoft.com
uk-v20.events.data.microsoft.com
winatp-gw-uks.microsoft.com
winatp-gw-ukw.microsoft.com

What are my options as currently, I can't give my organisation a working solution?

Darran_Lebas · ‎2019-03-26

Does anyone have any ideas on how to resolve the above issues?

Alessandro_Marr · ‎2019-03-27

Enable module probe bypass (sk104717)

Run: fw ctl set int bypass_on_enhanced_ssl_inspection 1 In $FWDIR/modules/fwkern.conf, add this line: bypass_on_enhanced_ssl_inspection=1

Darran_Lebas · ‎2019-03-27

Hi Alessandro,

Was this in response to my issue? If it was, I've been there and felt the pain of enabling probe bypass.

I'm still waiting for CP to supply me with the SNI fix to supplement enabling probe bypass but this hasn't happened as yet.

Alessandro_Marr · ‎2019-03-27

yes, was....

what is your take on r80.10 ?

Darran_Lebas · ‎2019-03-27

It's ever-changing. Currently 169.

No, the list above is from Microsoft. I'd created an application using the proper Regex format.

Alessandro_Marr · ‎2019-03-27

I have two clusters with r80.10 take 142, probe bypass on and my regex like this (^|.*\.)*microsoft\.com

working fine...

Alessandro_Marr · ‎2019-03-27

Hi Darran, your regex are like you wrote above?

Alessandro_Marr · ‎2019-03-27

enable module of probe bypass

Run: fw ctl set int bypass_on_enhanced_ssl_inspection 1
In $FWDIR/modules/fwkern.conf, add this line: bypass_on_enhanced_ssl_inspection=1

Are you a member of CheckMates?

HTTPS inspection bypass R80.10