topic Re: Multiple outbound HTTPS inspection certificates in Firewall and Security Management

Multiple outbound HTTPS inspection certificates

EricAnderson — Tue, 27 Sep 2022 16:43:06 GMT

I believe this was asked 3 years ago, but not properly answered (if at all). I've asked a few folks as well, but nothing yet.

The desire is to have different certificates/CA's used on/by different gateways. One example would be different locations with separate Active Directory domains. Users at each location already have different trusted CA's and would ideally be presented with different trusted root CA's upon outbound inspection.

AFAIK there is only a single outbound inspection certificate (whether internal or imported) - installed on the SMS and deployed to GW's during access policy installation.

One [rather impractical] workaround could be to install policy to site A, re-import site B's certificate (scriptable in R81.20?), install policy to site B. If R81.20's certificate scripting permits (as I've read), this could become fairly automated if we script all policy installation operations. Somewhat ugly, but it may at least help better covey the goal.

Even more ideally (but likely more of an RFE), what about allowing multiple outbound certificates in the inspection policy? The policy already allows for certificate selection - but only for inbound. Allowing certificate selection in outbound inspection rules would allow for even greater flexibility, like using roles and dynamic objects in source - allowing members of different AD domains (and even non-member machines) to use different certs. We can always dream 😉

Thanks,

-E

Re: Multiple outbound HTTPS inspection certificates

PhoneBoy — Tue, 27 Sep 2022 16:48:38 GMT

What we allow for outbound HTTPS inspection is a single CA to be used per management domain.
That ultimately signs all the outbound certificates generated for user connections.

That implies MDM is a potential workaround for this.
Like you point out, these operations in can potentially be automated in R81.20.
Otherwise having different Outbound CA certs for different gateways managed by the same management domain is an RFE.

Re: Multiple outbound HTTPS inspection certificates

EricAnderson — Tue, 27 Sep 2022 17:37:11 GMT

Thanks for confirming, bud.

Makes sense that MDM would work, but even more impractical than scripting in this case.

Thinking about the scripting more, it makes me wish "Before install Policy" was a SmartTask trigger 😉

Still curious if anyone else has any creative ideas, or even just has the same need/desire.

-E