Support Center > Search Results > SecureKnowledge Details
HTTPS Inspection bypass list object Technical Level
Solution

Table of Contents:

  • Background
  • Check Point Solution for R80.40 and above
    • HTTPS services - recommended bypass
    • HTTPS services - optional bypass
  • Configuring an HTTPS Inspection Bypass rule using a predefined Updatable Object

Background

In some cases, services that used to work when HTTPS Inspection was disabled lose connectivity when HTTPS Inspection is enabled. The common reason for the connectivity issues is that HTTPS Inspection cannot establish trust between the client and the Security Gateway, and therefore cannot inspect the traffic. Usually, pushing Security Gateway CA certificate into the system trust store is sufficient. But some applications have trust stores of their own: therefore, the Security Gateway will not be able to inspect, and you should decide to drop or bypass these services. If you choose to bypass specific HTTPS services to prevent connectivity issues, they will not be inspected. To leverage the highest level of security, we recommend that, before you bypass any service, you figure out if trust can be established without bypassing.

Check Point Solution for R80.40 and above

We collected a list of HTTPS services that are known to be used in pinned scenarios. These HTTPS services are part of the "HTTPS services - bypass" updatable object.

Show / Hide this section

HTTPS services - optional bypass

Show / Hide this section

Configuring an HTTPS Inspection Bypass rule using a predefined Updatable Object

  1. From the left navigation panel, click Security Policies
  2. In the HTTPS Inspection section, click Policy
  3. Add a new rule:
    1. In the Name column:
      Bypass [name(s) of applicable object(s)]
    2. In the Source column:
      Add the applicable object(s)
    3. In the Destination column:
      1. Click the [+] icon
      2. In the top right corner, click Import > Updatable Objects
      3. In the left pane, expand HTTPS services - bypass > expand HTTPS services - optional bypass
      4. Select the applicable objects
      5. Click OK
      6. Delete the object Internet
    4. In the Services column:
      1. Click the [+] icon
      2. In the top field, search for https
      3. Click the service https (with the comment "HTTP protocol over TLS/SSL")
      4. Delete the object HTTPS default services
    5. In the Category/Custom Application column, leave the default object *Any
    6. In the Action column, click Inspect and select Bypass
    7. In other columns, select the applicable options
  4. Install the Access Control Policy
For more information, see the Security Management Administration Guide for your version > Chapter Managing Objects > Section Network Object Types > Section Updatable Objects

Related solutions:

Give us Feedback
Please rate this document
[1=Worst,5=Best]
Comment