Background
In some cases, services that used to work when HTTPS Inspection was disabled lose connectivity when HTTPS Inspection is enabled. The common reason for the connectivity issues is that HTTPS Inspection is cannot establish trust between the client and the Security Gateway, and therefore cannot inspect the traffic. Usually, pushing Security Gateway CA certificate into the system trust store is sufficient. But some applications have trust stores of their own: Therefore, the Security Gateway will not be able to inspect, and you should decide to drop or bypass these services. If you choose to bypass specific HTTPS services to prevent connectivity issues, they will not be inspected. To leverage the highest level of security, we recommend that, before you bypass any service, you figure out if trust can be established without bypassing.
Check Point Solution for R80.40 and above
We collected a list of HTTPS services that are known to be used in pinned scenarios. These HTTPS services are part of the "HTTPS services - bypass" updatable object.
HTTPS services - recommended bypass
These are well-known HTTPS services used by popular programs and applications. These services are often used to provide updated services or access remote resources. We recommend that you bypass these services in the HTTPS Inspection policy to prevent connectivity issues.
-
Microsoft - recommended HTTPS bypass
- *.update.microsoft.com
- update.microsoft.com
- vortex-win.data.microsoft.com
- settings-win.data.microsoft.com
- events.data.microsoft.com
- *.prod.do.dsp.mp.microsoft.com
- *.windowsupdate.com
- *.dl.delivery.mp.microsoft.com
- *.delivery.mp.microsoft.com
- tsfe.trafficshaping.dsp.mp.microsoft.com
-
Mozilla - recommended HTTPS bypass
- mozilla.org
- aus3.mozilla.org
- addons.mozilla.org
- aus2.mozilla.org
- versioncheck.addons.mozilla.org
-
Adobe - recommended HTTPS bypass
- *.adobe.org
- *.adobetag.org
HTTPS services - optional bypass
These are well-known HTTPS services used by popular programs and applications that can be inspected only in some scenarios: for example, only when used by a web application or a website. If you select to bypass this list, the application and website are not inspected.
Important - Some applications can be used for malicious file distribution. Consider how the service is used within your organization and if there is a need to bypass these services in the HTTPS Inspection policy to prevent connectivity issues.
-
Dropbox - optional HTTPS bypass
- photos-thumb.dropbox.com
- block-edge-1.dropbox.com
- block-edge-anycast.dropbox.com
- api.dropboxapi.com
- bolt.dropbox.com
- *.previews.dropboxusercontent.com
- dl-debug.dropbox.com
- client-web.dropbox.com
- d.dropbox.com
- client.dropbox.com
- api.dropbox.com
- notify.dropboxapi.com
- content.dropboxapi.com
-
Google - optional HTTPS bypass
- device-provisioning.googleapis.com
- fcmtoken.googleapis.com
- fcmconnection.googleapis.com
- firebaseperusertopics-pa.googleapis.com
- accounts.google.com
- *.drive.google.com
- android.clients.google.com
- lh3.googleusercontent.com
- semanticlocation-pa.googleapis.com
- android.googleapis.com
- play.googleapis.com
- cryptauthenrollment.googleapis.com
- connectivitycheck.gstatic.com
- digitalassetlinks.googleapis.com
- www.google.com
- alt2-mtalk.google.com
- *.gvt1.com
Usage
To bypass services, in the HTTPS Inspection policy, click the '+' button under the destination column, select import 'Updatable Objects', and then select the applicable HTTPS Services list from the HTTPS Services - bypass object .
Below is an example of adding HTTPS Services - bypass updatable object to Destination column in HTTPS Inspection Policy:
As an alternative you can select to drop these services: in the Access policy, click the '+' button under the destination column, select import 'Updatable Objects', and then select the applicable HTTPS Services list from the HTTPS Services - bypass object .
Below is an example of adding HTTPS Services - bypass updatable object to Destination column in Access Policy:
Note: This solution is available from R80.40.
In previous versions, users can only use the “Bypass HTTPS inspection of all traffic to all known software update services” checkbox.
For R80.40 users, the solutions can work together. Note that the “HTTPS services – bypass” updatable object covers more services, and the user might select to bypass/drop some of them, and not all of them.
Related solutions:
