Table of Contents:
Background
In some cases, services that used to work when HTTPS Inspection was disabled lose connectivity when HTTPS Inspection is enabled. The common reason for the connectivity issues is that HTTPS Inspection cannot establish trust between the client and the Security Gateway, and therefore cannot inspect the traffic. Usually, pushing Security Gateway CA certificate into the system trust store is sufficient. But some applications have trust stores of their own: therefore, the Security Gateway will not be able to inspect, and you should decide to drop or bypass these services. If you choose to bypass specific HTTPS services to prevent connectivity issues, they will not be inspected. To leverage the highest level of security, we recommend that, before you bypass any service, you figure out if trust can be established without bypassing.
Check Point Solution for R80.40 and above
We collected a list of HTTPS services that are known to be used in pinned scenarios. These HTTPS services are part of the "HTTPS services - bypass" updatable object.
HTTPS services - recommended bypass
Show / Hide this section
These are well-known HTTPS services used by popular programs and applications. These services are often used to provide updated services or access remote resources. We recommend that you bypass these services in the HTTPS Inspection policy to prevent connectivity issues.
-
Adobe Updates - HTTPS bypass
- adobe.com
- *.adobe.com
- *.adobetag.com
-
Check Point Updates - HTTPS bypass
- avupdates.checkpoint.com
- secureupdates.checkpoint.com
- updates.checkpoint.com
-
Java Updates - HTTPS bypass
- sjremetrics.java.com
- javadl-esd-secure.oracle.com
- *.javadl-esd-secure.oracle.com
-
Microsoft Updates - HTTPS bypass
- login.live.com
- settings-win.data.microsoft.com
- *.vortex-win.data.microsoft.com
- *.delivery.mp.microsoft.com
- tsfe.trafficshaping.dsp.mp.microsoft.com
- update.microsoft.com
- *.update.microsoft.com
- sls.update.microsoft.com
-
Mozilla Firefox Updates - HTTPS bypass
- download-installer.cdn.mozilla.net
HTTPS services - optional bypass
Show / Hide this section
Configuring an HTTPS Inspection Bypass rule using a predefined Updatable Object
- From the left navigation panel, click Security Policies
- In the HTTPS Inspection section, click Policy
- Add a new rule:
- In the Name column:
Bypass [name(s) of applicable object(s)]
- In the Source column:
Add the applicable object(s)
- In the Destination column:
- Click the [+] icon
- In the top right corner, click Import > Updatable Objects
- In the left pane, expand HTTPS services - bypass > expand HTTPS services - optional bypass
- Select the applicable objects
- Click OK
- Delete the object Internet
- In the Services column:
- Click the [+] icon
- In the top field, search for https
- Click the service https (with the comment "HTTP protocol over TLS/SSL")
- Delete the object HTTPS default services
- In the Category/Custom Application column, leave the default object *Any
- In the Action column, click Inspect and select Bypass
- In other columns, select the applicable options
- Install the Access Control Policy
For more information, see the
Security Management Administration Guide for your version > Chapter
Managing Objects > Section
Network Object Types > Section
Updatable Objects
Related solutions: