topic Re: Question about sk173629 to install Trusted CAs list automatically in Firewall and Security Management

Question about sk173629 to install Trusted CAs list automatically

Cypress — Mon, 07 Apr 2025 18:42:15 GMT

I have a question regarding the Trusted CAs List on a Security Gateway running HTTPS inspection.

I have encountered, in some rare cases, where a legitimate website with a legitimate CA-issued certificate will show as a Cert Error for our users. When this happened, the logs in Logs & Monitoring would show "Untrusted Certificate." Previously, I was fixing this by bypassing inspection for that domain.. but I have very recently come to realize the TRUE root cause is because the website's issuing CA is not present in our gateway's 'Trusted CAs' list. Ah ha, a root cause finally found.

So.. anyway now on to my actual questions:

1. Is it the best practice from Check Point to toggle this setting in SmartDashboard Trusted CAs to "download and install updates automatically?" I'm assuming this is the recommendation now, but thought I would ask.

2. I have read some OLDER posts on here that after installing an updated Trusted CAs list, you still have to install policy to the gateway. Is that still true? (In R81.20?) sk173629 mentions installing policy to the gateways after making the settings change, but it doesn't mention installing policy upon subsequent updates?

Re: Question about sk173629 to install Trusted CAs list automatically

the_rock — Mon, 07 Apr 2025 23:58:37 GMT

My own experience and based on answers about this from TAC:

1) Yes

2) It depends, its 50-50, but TAC told me its best to install policy anyway

Hope that helps.

Andy

Re: Question about sk173629 to install Trusted CAs list automatically

the_rock — Mon, 07 Apr 2025 20:01:41 GMT

@Cypress I would still double check with TAC to confirm, but thats what I know 🙂

Andy

Re: Question about sk173629 to install Trusted CAs list automatically

the_rock — Tue, 08 Apr 2025 00:22:42 GMT

@Cypress

FWIW, I also have up to date R82 mgmt server in the lab that manages R81.20 cluster with ssl inspection on, so can get you updated zip file that can be uploaded for certificate list. But, just FYI, though it does work in R81.20 lab, its my "disclosure" that it may not work for you : - )

Andy

Re: Question about sk173629 to install Trusted CAs list automatically

the_rock — Tue, 08 Apr 2025 02:10:57 GMT

@Cypress

Was doing some Azure labs, so figured would double check on this. So, whatever you see for download in below sk, is literally same thing I see in my R82 lab:

sk64521 - How to update the Trusted Certificate Authorities (CAs) list for HTTPS Inspection and HTTPS Categorization

There is no .zip file in R82 folder, where you would have found it in R81.20 and below, as mechanism is a bit different. I also attacxhed screenshots for reference. If you need more help, let me know.

/opt/CPshrd-R82/database/downloads/CA_BUNDLE/1.0/1.1

Best,

Andy