Bypass Rules for Certificate Pinning

Certificate pinning is a security technique used by applications to ensure sever's certificate adheres to certain rules to enhance data security against potential threats. As a result, these applications may not recognize the Harmony SASE certificate as valid and blocks the connection.

Check Point recommends to use process name or domain to bypass the traffic to applications that use certificate pinning.

The table lists some of the popular applications that use certificate pinning and provides their domains to bypass:

Application	Program	Domain
Adobe Suite (including Acrobat Reader, Creative Cloud and software updates)	N/A	Fill in these domain lists: List 1 List 2
Apple's iMessages, iTunes, App Store, Mail	N/A	p24-keyvalueservice.icloud.com apps.apple.com itunes.apple.com mzstatic.com gs-loc.apple.com gsa.apple.com securemetrics.apple.com swscan.apple.com xp.apple.com icloud.com ppq.apple.com akadns.net
AWS Console	N/A	console.aws.amazon.com docs.aws.amazon.com signin.aws.amazon.com signin.aws.amazon.com fls-na.amazon.com cdn.assets.as2.amazonaws.com aws-signin-website-assets.s3.amazonaws.com opfcaptcha-prod.s3.amazonaws.com d1dgtfo2wk29o4.cloudfront.net Images-na.ssl-images-amazon.com
Bitdefender	N/A	cdn.bitdefender.net download.bitdefender.com login.bitdefender.net login.bitdefender.com nimbus.bitdefender.net push.bitdefender.net upgrade.bitdefender.com
DropBox	Windows - dropbox.exe, dropboxupdate.exe macOS - com.getdropbox.dropbox	N/A
Evernote	evernote.exe	announce.evernote.com cd1. evernote.com evernote-a.akamaihd.net www.evernote.com
Google Drive	Windows - googledrivesync.exe, GoogleDriveFS.exe macOS - com.google.drivefs, com.google.drivefs.finderhelper.findersync	N/A
Google Services	N/A	accounts.google.com alt2-mtalk.google.com android.clients.google.com www.google.com android.googleapis.com cryptauthenrollment.googleapis.com device-provisioning.googleapis.com digitalassetlinks.googleapis.com fcmconnection.googleapis.com fcmtoken.googleapis.com firebaseperusertopics-pa.googleapis.com play.googleapis.com semanticlocation-pa.googleapis.com lh3.googleusercontent.com play-lh.googleusercontent.com gstatic.com gvt1.com
Java Updates	N/A	sjremetrics.java.com javadl-esd-secure.oracle.com
LogMeIn	logmein.exe	Fill in this domain list.
Microsoft Defender	N/A	Fill in this domain list.
Microsoft Lync and Skype	N/A	lync.com az801095.vo.msecnd.net i.s-microsoft.com
Microsoft Office365	Configure within Office365: Go to Policy > URL & Cloud App Control > Advanced Settings.	For outlook, add these domains: office365.com office.com
Microsoft OneDrive	N/A	cdn.funcaptcha.com fpt.live.com login.live.com odc.officeapps.live.com skyapi.policies.live.net signup.live.com skyapi.live.net pipe.aria.microsoft.com data.microsoft.com svc.ms msauth.net onedrive.com cdn.onenote.net
Microsoft Windows Store	N/A	eus-streaming-video-msn-com wns.windows.com live.com clientconfig.passport.net wustat.windows.com windowsupdate.com msftncsi.com microsoft.com
Microsoft Updates	N/A	login.live.com settings-win.data.microsoft.com vortex-win.data.microsoft.com delivery.mp.microsoft.com tsfe.trafficshaping.dsp.mp.microsoft.com update.microsoft.com sls.update.microsoft.com login.microsoft.com
Slack	Windows - slack.exe macOS - com.tinyspeck.slackmacgap, com.tinyspeck.slackmacgap.helper	N/A
Spotify	N/A	spotify.com
Webex	atmrg.exe, wmlhost.exe, webexmta.exe, washost.exe	webex.com
Zoom	Windows - zoom.exe macOS - us.zoom.xos	zoom.us

Default Bypass Rules

Harmony SASE provides a list of preconfigured bypass rules for applications that use certificate pinning.

To view the default bypass rules, access Harmony SASE and click Internet Access > Bypass Rules. The default bypass rules disappear if you add new bypass rules.

Rule Name	Default Status	Domains	Categories
Bypass sensitive traffic - Pre-configured	Disabled	N/A	Financial Services, Government, Health and Medicine, Legal
Bypass Microsoft updates - Pre-configured	Enabled	login.live.com settings-win.data.microsoft.com vortex-win.data.microsoft.com delivery.mp.microsoft.com tsfe.trafficshaping.dsp.mp.microsoft.com update.microsoft.com sls.update.microsoft.com login.microsoft.com	N/A
Bypass Adobe updates - Pre-configured	Enabled	adobe.com adobetag.com	N/A
Bypass Java updates - Pre-configured	Enabled	sjremetrics.java.com javadl-esd-secure.oracle.com	N/A
Bypass Mozilla Firefox updates - Pre-configured	Enabled	download-installer.cdn.mozilla.net	N/A
Bypass AWS console - Pre-configured	Enabled	console.aws.amazon.com docs.aws.amazon.com signin.aws.amazon.com signin.aws.amazon.com fls-na.amazon.com cdn.assets.as2.amazonaws.com aws-signin-website-assets.s3.amazonaws.com opfcaptcha-prod.s3.amazonaws.com d1dgtfo2wk29o4.cloudfront.net Images-na.ssl-images-amazon.com	N/A
Bypass Dropbox - Pre-configured	Enabled	dropbox.com dropboxapi.com previews.dropboxusercontent.com mmp.getdropbox.com	N/A
Bypass Google services - Pre-configured	Enabled	accounts.google.com alt2-mtalk.google.com android.clients.google.com www.google.com android.googleapis.com cryptauthenrollment.googleapis.com device-provisioning.googleapis.com digitalassetlinks.googleapis.com fcmconnection.googleapis.com fcmtoken.googleapis.com firebaseperusertopics-pa.googleapis.com play.googleapis.com semanticlocation-pa.googleapis.com lh3.googleusercontent.com play-lh.googleusercontent.com gstatic.com gvt1.com	N/A
Bypass OneDrive - Pre-configured	Enabled	cdn.funcaptcha.com fpt.live.com login.live.com odc.officeapps.live.com skyapi.policies.live.net signup.live.com skyapi.live.net pipe.aria.microsoft.com data.microsoft.com svc.ms msauth.net onedrive.com cdn.onenote.net	N/A
Bypass LogMeIn - Pre-configured	Enabled	cdngetgo.com expertcity.com getgo.com getgocdn.com getgoservices.com getgoservices.net go2assist.me gofastchat.com goto-rtc.com gotoassist.com gotoassist.at gotoassist.me gotomeet.me gotomeet.at gotomeet.me gotomeeting.com gotomypc.com gotostage.com gototraining.com gotowebinar.com helpme.net accounts.logme.in joingotomeeting.com jointraining.com joinwebinar.com logmein.com logmeininc.com logmeinrescue.com	N/A
Bypass Microsoft Lync and Skype - Pre-configured	Enabled	lync.com az801095.vo.msecnd.net i.s-microsoft.com	N/A
Bypass Apple services - Pre-configured	Enabled	p24-keyvalueservice.icloud.com apps.apple.com itunes.apple.com mzstatic.com gs-loc.apple.com gsa.apple.com securemetrics.apple.com swscan.apple.com xp.apple.com icloud.com ppq.apple.com akadns.net mail.me.com music.apple.com	N/A
Bypass Bitdefender services - Pre-configured	Enabled	cdn.bitdefender.net download.bitdefender.com login.bitdefender.net login.bitdefender.com nimbus.bitdefender.net push.bitdefender.net upgrade.bitdefender.com	N/A
Bypass Zoom - Pre-configured	Enabled	zoom.us	N/A
Bypass Webex - Pre-configured	Enabled	webex.com	N/A
Bypass Spotify - Pre-configured	Enabled	spotify.com	N/A

Finding the Process Name of an Application

You can use the process name to bypass the traffic to the application that uses certificate pinning.

To find the process name in Windows:

Open Task Manager.
Right-click any column in the Processes tab and select Process name.

The Process name column appears in the table.
Search for your application and copy the process name.

To find the process name in macOS, do one of these:

Go to Activity Monitor:
1. Select the application's process.
2. Click View and select Inspect Process.
3. Go to Sample > Binary Images.
4. Identify the process name from the first item in the list.
Go to Finder:
1. Navigate to the Applications folder.
2. Select the application.
3. Right-click the application and select Show Package Contents.
4. Go to the Contents folder and open the Info.plist file.
5. Find the process name next to the CFBundleIdentifier key.

To find the process name in Linux:

Run this command in the terminal:

ps aux | grep <application_name>

The process name is displayed in the second-to-last column of the output.