This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Dmitry_Barantse
Participant
Participant
‎2018-09-12 10:25 PM

HTTPS inspection bypass R80.10

Hi team.

I'm trying to add https inspection bypass rules with custom site category with full URL or regex in this category. 

But it doesn't work and Check Point inspects this traffic.

Any ideas how to make it work?

17 Replies
Danny
Champion Champion
Champion
‎2018-09-12 11:12 PM

A bit more information would be helpful (Version you are using, the url you want to bypass, your regex etc.).

Usually, when URL and regex definitions don't work to bypass HTTPS websites, you'll be required to bypass the IP address of the website.

Follow these steps:

  1. Create network objects to represent ranges on IP addresses used by your clients.
  2. Configure the above network objects in the HTTPS Inspection Bypass rule.
  3. Install the policy.

Related SKs: sk108762, sk122158, sk114160, sk114419, sk113935,sk132913

0 Kudos
Dmitry_Barantse
Participant
Participant
‎2018-09-13 03:38 AM
In response to Danny

Hi Danny.

Thank's but I know about bypass by destination IP.

This method is too time-consuming because web sites has multiple IP addresses. So I need to bypass inspection with wildcard in URL, for example *.site.com

0 Kudos
Danny
Champion Champion
Champion
‎2018-09-13 03:45 AM
In response to Dmitry_Barantse

Which website would you like to bypass?

0 Kudos
Dmitry_Barantse
Participant
Participant
‎2018-09-13 03:53 AM
In response to Danny

For example vtb.ru with all subdomains

0 Kudos
Danny
Champion Champion
Champion
‎2018-09-13 04:09 AM
In response to Dmitry_Barantse

vtb.ru owns just a single /24 network: 193.164.146.0/24

So if you create a network object to reflect vtb.ru's network and bypass it within your HTTPS Inspection policy you should be all good.

0 Kudos
Dmitry_Barantse
Participant
Participant
‎2018-09-13 04:16 AM
In response to Danny

Thank you

0 Kudos
Danny
Champion Champion
Champion
‎2018-09-13 04:55 AM
In response to Dmitry_Barantse

The 'Thank you' badge can be found right below the Actions link.

ED
Advisor
‎2019-03-27 03:32 AM
In response to Danny

Hi @Danny 

How did you find out that vtb.ru owns that single /24 network? 

0 Kudos
Darran_Lebas
Participant
‎2019-01-21 04:17 AM

I have the same problem where the sites are inspected even though I have a custom bypass application with a list of URLs using regex. The URLs still get inspected and break my connection.

My requirement is to bypass the following.

*.oms.opinsights.azure.com
*.blob.core.windows.net
*.azure-automation.net
*.ods.opinsights.azure.com
winatp-gw-cus.microsoft.com
winatp-gw-eus.microsoft.com
winatp-gw-neu.microsoft.com
crl.microsoft.com
ctldl.windowsupdate.com
events.data.microsoft.com
uk.vortex-win.data.microsoft.com
uk-v20.events.data.microsoft.com
winatp-gw-uks.microsoft.com
winatp-gw-ukw.microsoft.com

What are my options as currently, I can't give my organisation a working solution?

0 Kudos
Darran_Lebas
Participant
‎2019-03-26 03:07 PM
In response to Darran_Lebas

Does anyone have any ideas on how to resolve the above issues?

0 Kudos
Alessandro_Marr
Advisor
‎2019-03-27 04:31 AM
In response to Darran_Lebas

Enable module probe bypass (sk104717)

 

Run: fw ctl set int bypass_on_enhanced_ssl_inspection 1 In $FWDIR/modules/fwkern.conf, add this line: bypass_on_enhanced_ssl_inspection=1

0 Kudos
Darran_Lebas
Participant
‎2019-03-27 04:35 AM
In response to Alessandro_Marr

Hi Alessandro,

Was this in response to my issue? If it was, I've been there and felt the pain of enabling probe bypass.

I'm still waiting for CP to supply me with the SNI fix to supplement enabling probe bypass but this hasn't happened as yet.

0 Kudos
Alessandro_Marr
Advisor
‎2019-03-27 04:42 AM
In response to Darran_Lebas

yes, was....

what is your take on r80.10 ?

 

0 Kudos
Darran_Lebas
Participant
‎2019-03-27 04:57 AM
In response to Alessandro_Marr

It's ever-changing. Currently 169.

No, the list above is from Microsoft. I'd created an application using the proper Regex format.

 

0 Kudos
Alessandro_Marr
Advisor
‎2019-03-27 05:02 AM
In response to Darran_Lebas

I have two clusters with r80.10 take 142, probe bypass on and my regex like this (^|.*\.)*microsoft\.com

 

working fine...

0 Kudos
Alessandro_Marr
Advisor
‎2019-03-27 04:37 AM
In response to Darran_Lebas

Hi Darran, your regex are like you wrote above?
0 Kudos
Alessandro_Marr
Advisor
‎2019-03-27 04:30 AM

enable module of probe bypass

Run: fw ctl set int bypass_on_enhanced_ssl_inspection 1
In $FWDIR/modules/fwkern.conf, add this line: bypass_on_enhanced_ssl_inspection=1
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    Sort by:
    CheckMates Events