HTTPS Inspection options to apply only to devices that trust CA

Travis_Krings — Tue, 20 Apr 2021 22:17:03 GMT

I've been doing some testing with HTTPS inspection using a sub-CA from our internal domain CA. I'm wondering if there are any methods to scoping the hosts you apply inspection to that I am missing in the documentation or elsewhere. From what I can tell you just have to use the source field with Access Roles, Networks, Hosts, etc. The issue with our environment and I'm sure many environments is that our subnets are not totally separated in ways that keep domain joined or managed devices separate from something that does not trust our CA. So just turning on HTTPS inspection for entire subnets is not really possible in our environment without causing issues.

I would be interested to hear what others have done to scope out their environments to only hit devices that are either on the domain or otherwise managed where the root certs can be pushed to them. At one point I seem to recall a VAR telling me that Check Point was going to have a way to do it by device type (Windows, Mobile, ETC) where you could scope that way, but I have never found anything like this.

Thanks!

Re: HTTPS Inspection options to apply only to devices that trust CA

PhoneBoy — Wed, 21 Apr 2021 00:38:25 GMT

I would think a properly defined Access Role would be sufficient (one that only matches things where both a user and machine identity was acquired in Active Directory).
Something defined similar to the following:

topic Re: HTTPS Inspection options to apply only to devices that trust CA in Firewall and Security Management

HTTPS Inspection options to apply only to devices that trust CA

Re: HTTPS Inspection options to apply only to devices that trust CA