Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Maik
Advisor

Windows & Apple Software Updates without HTTPS Inspection (via SNI/CN comparison)

Hello guys,

I was wondering whether it is possible to have custom applications or url filtering objects in order to achieve reachability of the apple & microsoft software update servers?

The official applications "Apple Software Update" and "Windows Update" seem to only work with an existing HTTPS Inspection setup. As url filtering and application control (some applications) can be done with pattern  matching against the SNI / CN of the certificate I was wondering whether this can be done for the mentioned update servers. Unfortunately I am not aware of the setup of apples or microsofts update servers and whether SNI / CN comparison can be used in such a case.

Maybe someone already ran into the same issue or heard of a possible solution.

Thanks and best regards,

Maik

 

[Edit: As always I forgot some details... the question is related to R80.20 Take 118 - VSX + MDM setup]

0 Kudos
13 Replies
PhoneBoy
Admin
Admin

For the SNI verification stuff to work properly, you may need to enable HTTPS Inspection with an any any bypass rule.
Not sure if they fixed that in that R80.20 JHF or a future one.
They did in R80.40.

Maik
Advisor

Seems like it is supported since R80.20 Jumbo HotFix - Ongoing Take 117 (13 October 2019), at least related to the Jumbo Patch notes. Is there some kind of list which application control "objects" can be used with this feature but HTTPS inspection disabled (or set to bypass all)?

0 Kudos
Maik
Advisor

**ping**

Would also appreciate feedback in any way, like for example that this approach does not make much sense and why (in regards to the mentioned objects/update servers).

0 Kudos
Mraybone
Explorer

Yes, some guidance on how this is possible, or even if it is at all, would be nice.  My goal is to allow all servers access to a list of supplied windows update URLs (not IP ranges, as that information is not available).

0 Kudos
Chris_Atkinson
Employee Employee
Employee

The most recent enhancement I'm aware of in this regard is outlined in sk163595.

CCSM R77/R80/ELITE
0 Kudos
Mraybone
Explorer

Thanks for the reply, unfortunately I only have the firewall blade available to me.

0 Kudos
PhoneBoy
Admin
Admin

With only Firewall blade available, there isn't much you can do.
Your only option is by IP address as even looking at URLs or SNI requires App Control. 

0 Kudos
Mraybone
Explorer

I was afraid of that, thanks for the info.

0 Kudos
Mraybone
Explorer

We have got the application control blade installed now, but the rule for Windows Update doesn't seem to be doing much.  Any tips?

0 Kudos
G_W_Albrecht
Legend Legend
Legend

See sk163595Check Point Solution for R80.40 and above We collected a list of HTTPS services that are known to be used in pinned scenarios. These HTTPS services are part of the "HTTPS services - bypass" updatable object.

In previous versions, users can only use the “Bypass HTTPS inspection of all traffic to all known software update services” checkbox.

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Mraybone
Explorer

Ok thanks, this is interesting - we have R80.40, but I can't find the "HTTPS services - bypass" object...

I have actually narrowed this down to the fact that it is only HTTPS that isn't working, so I'm almost there! 🙂

0 Kudos
G_W_Albrecht
Legend Legend
Legend

Click the '+' button under the Source/Destination column, choose import 'Updatable Objects', and then you can choose the relevant"HTTPS services - bypass" - see sk131852 !

CCSE / CCTE / CTPS / CCME / CCSM Elite / SMB Specialist
0 Kudos
Mraybone
Explorer

I found the object, I can even see things in the logs being successfully bypassed but windows updates still won't work

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events