HTTPS Inspection bypass list object

Support Center > Search Results > SecureKnowledge Details

Technical Level

Solution ID	sk163595
Technical Level
Product	HTTPS Inspection
Version	R80.40, R81, R81.10, R81.20
Date Created	01-Feb-2020
Last Modified	23-Nov-2022

Solution

Table of Contents:

Background
Check Point Solution for R80.40 and above
- HTTPS services - recommended bypass
- HTTPS services - optional bypass
Configuring an HTTPS Inspection Bypass rule using a predefined Updatable Object

Background

In some cases, services that used to work when HTTPS Inspection was disabled lose connectivity when HTTPS Inspection is enabled. The common reason for the connectivity issues is that HTTPS Inspection cannot establish trust between the client and the Security Gateway, and therefore cannot inspect the traffic. Usually, pushing Security Gateway CA certificate into the system trust store is sufficient. But some applications have trust stores of their own: therefore, the Security Gateway will not be able to inspect, and you should decide to drop or bypass these services. If you choose to bypass specific HTTPS services to prevent connectivity issues, they will not be inspected. To leverage the highest level of security, we recommend that, before you bypass any service, you figure out if trust can be established without bypassing.

Check Point Solution for R80.40 and above

We collected a list of HTTPS services that are known to be used in pinned scenarios. These HTTPS services are part of the "HTTPS services - bypass" updatable object.

HTTPS services - recommended bypass

Show / Hide this section

These are well-known HTTPS services used by popular programs and applications. These services are often used to provide updated services or access remote resources. We recommend that you bypass these services in the HTTPS Inspection policy to prevent connectivity issues.

Adobe Updates - HTTPS bypass
- adobe.com
- *.adobe.com
- *.adobetag.com
Check Point Updates - HTTPS bypass
- avupdates.checkpoint.com
- secureupdates.checkpoint.com
- updates.checkpoint.com
Java Updates - HTTPS bypass
- sjremetrics.java.com
- javadl-esd-secure.oracle.com
- *.javadl-esd-secure.oracle.com
Microsoft Updates - HTTPS bypass
- login.live.com
- settings-win.data.microsoft.com
- *.vortex-win.data.microsoft.com
- *.delivery.mp.microsoft.com
- tsfe.trafficshaping.dsp.mp.microsoft.com
- update.microsoft.com
- *.update.microsoft.com
- sls.update.microsoft.com
Mozilla Firefox Updates - HTTPS bypass
- download-installer.cdn.mozilla.net

HTTPS services - optional bypass

Show / Hide this section

These are well-known HTTPS services used by popular programs and applications that can be inspected only in some scenarios: for example, only when used by a web application or a website. If you select to bypass this list, the application and website are not inspected.

Important - Some applications can be used for malicious file distribution. Consider how the service is used within your organization and if there is a need to bypass these services in the HTTPS Inspection policy to prevent connectivity issues.

AWS Console - HTTPS bypass
- *.console.aws.amazon.com
- docs.aws.amazon.com
- signin.aws.amazon.com
- *.signin.aws.amazon.com
- fls-na.amazon.com
- cdn.assets.as2.amazonaws.com
- aws-signin-website-assets.s3.amazonaws.com
- opfcaptcha-prod.s3.amazonaws.com
- d1dgtfo2wk29o4.cloudfront.net
- Images-na.ssl-images-amazon.com
BitDefender - HTTPS bypass
- *.cdn.bitdefender.net
- download.bitdefender.com
- login.bitdefender.net
- login.bitdefender.com
- nimbus.bitdefender.net
- push.bitdefender.net
- upgrade.bitdefender.com
Dashlane - HTTPS bypass
- dashlane.com
- *.dashlane.com
Dropbox - HTTPS bypass
- *.dropbox.com
- *.dropboxapi.com
- *.previews.dropboxusercontent.com
- mmp.getdropbox.com
Facebook - HTTPS bypass
- *.facebook.com
Finch VPN - HTTPS bypass
- amber.finchapi.com
- www.finchvpn.com
Google - HTTPS bypass
- accounts.google.com
- alt2-mtalk.google.com
- android.clients.google.com
- www.google.com
- android.googleapis.com
- cryptauthenrollment.googleapis.com
- device-provisioning.googleapis.com
- digitalassetlinks.googleapis.com
- fcmconnection.googleapis.com
- fcmtoken.googleapis.com
- firebaseperusertopics-pa.googleapis.com
- play.googleapis.com
- semanticlocation-pa.googleapis.com
- lh3.googleusercontent.com
- play-lh.googleusercontent.com
- *.gstatic.com
- *.gvt1.com
LogMeIn - HTTPS bypass
- *.cdngetgo.com
- *.expertcity.com
- *.getgo.com
- *.getgocdn.com
- *.getgoservices.com
- *.getgoservices.net
- *.go2assist.me
- *.gofastchat.com
- *.goto-rtc.com
- *.gotoassist.com
- *.gotoassist.at
- *.gotoassist.me
- gotomeet.me
- *.gotomeet.at
- *.gotomeet.me
- *.gotomeeting.com
- *.gotomypc.com
- *.gotostage.com
- *.gototraining.com
- *.gotowebinar.com
- *.helpme.net
- accounts.logme.in
- *.accounts.logme.in
- *.joingotomeeting.com
- *.jointraining.com
- *.joinwebinar.com
- logmein.com
- *.logmein.com
- *.logmeininc.com
- *.logmeinrescue.com
Skype for Business (Lync) - HTTPS bypass
- lync.com
- *.lync.com
MyQuickCloud - HTTPS bypass
- *.myquickcloud.com
OneDrive - HTTPS bypass
- cdn.funcaptcha.com
- fpt.live.com
- login.live.com
- odc.officeapps.live.com
- skyapi.policies.live.net
- signup.live.com
- skyapi.live.net
- *.pipe.aria.microsoft.com
- *.data.microsoft.com
- *.svc.ms
- *.msauth.net
- *.onedrive.com
- cdn.onenote.net
Elster.de - HTTPS bypass
- *.elster.de
- datenannahme1.elster.de
- datenannahme2.elster.de
- datenannahme3.elster.de
- datenannahme4.elster.de
- datenannahme5.elster.de
- datenannahme6.elster.de
- datenannahme7.elster.de
- datenannahme8.elster.de
- datenannahme9.elster.de
- datenannahme0.elster.de
- datenannahme.elster.de

Configuring an HTTPS Inspection Bypass rule using a predefined Updatable Object

From the left navigation panel, click Security Policies
In the HTTPS Inspection section, click Policy
Add a new rule:
1. In the Name column:
  Bypass [name(s) of applicable object(s)]
2. In the Source column:
  Add the applicable object(s)
3. In the Destination column:
  1. Click the [+] icon
  2. In the top right corner, click Import > Updatable Objects
  3. In the left pane, expand HTTPS services - bypass > expand HTTPS services - optional bypass
  4. Select the applicable objects
  5. Click OK
  6. Delete the object Internet
4. In the Services column:
  1. Click the [+] icon
  2. In the top field, search for https
  3. Click the service https (with the comment "HTTP protocol over TLS/SSL")
  4. Delete the object HTTPS default services
5. In the Category/Custom Application column, leave the default object *Any
6. In the Action column, click Inspect and select Bypass
7. In other columns, select the applicable options
Install the Access Control Policy

For more information, see the Security Management Administration Guide for your version > Chapter Managing Objects > Section Network Object Types > Section Updatable Objects

Related solutions:

sk131852 - Updatable Objects in R80.20 and above

Give us Feedback

Please rate this document

[1=Worst,5=Best]

Comment
	Submitting rating

Background

Check Point Solution for R80.40 and above

HTTPS services - recommended bypass

Adobe Updates - HTTPS bypass

Check Point Updates - HTTPS bypass

Java Updates - HTTPS bypass

Microsoft Updates - HTTPS bypass

Mozilla Firefox Updates - HTTPS bypass

HTTPS services - optional bypass

AWS Console - HTTPS bypass

BitDefender - HTTPS bypass

Dashlane - HTTPS bypass

Dropbox - HTTPS bypass

Facebook - HTTPS bypass

Finch VPN - HTTPS bypass

Google - HTTPS bypass

LogMeIn - HTTPS bypass

Skype for Business (Lync) - HTTPS bypass

MyQuickCloud - HTTPS bypass

OneDrive - HTTPS bypass

Configuring an HTTPS Inspection Bypass rule using a predefined Updatable Object