topic Re: SSL inspection policy - Validate CRL - known issue? in Spark Firewall (SMB)

SSL inspection policy - Validate CRL - known issue?

Tandishe — Thu, 19 Dec 2019 10:07:13 GMT

I have a Check Point 730 router with firewall.

We've had the router for over a year, and lately, the users have had issues connecting to sites with SSL certificates, up until the point where we could not connect to those sites at all.

I spoke to our ISP, and they said this is a known bug, and the workaround is to set "SSL inspection policy - Validate CRL" to "false".

Is this really a known bug? I could not find documentation about it anywhere.

If this is in fact a known bug, I would like to read about the progress of the issue.

thanks

Re: SSL inspection policy - Validate CRL - known issue?

_Val_ — Thu, 19 Dec 2019 11:40:41 GMT

Not a good advice, I am afraid. You have HTTPS Inspection enabled on your appliance (it is not called a router, BTW, but a security appliance), and the box cannot get CRLs for whatever reason.

You have several options:

1. Disable HTTPS Inspection

2. Troubleshoot CRL retrieval issue (if you do not know how, reach out to Check Point support)

3. Do what your ISP is telling you. In this case, you risk accepting any of the revoked and invalid certificates, which is a security issue.

Re: SSL inspection policy - Validate CRL - known issue?

Tandishe — Thu, 19 Dec 2019 11:49:09 GMT

So my contract with the ISP is such that they have all the admin access, not me. Technically I'm renting my Checkpoint equipment and get zero support from checkpoint. I get support from my ISP, and they get support from checkpoint.

What I'm really looking for here is some sort of official documentation that shows that this is (or is not) a "known issue with a workaround". My ISP is claiming this is in the hands of Check Point and being looked into, and that the official advised workaround is to set that parameter to false.

However, my impression is that my ISP is shirking responsibility and can in fact properly help by actually looking into the issue instead of throwing on a bandaid that makes me more vulnerable.

Re: SSL inspection policy - Validate CRL - known issue?

_Val_ — Thu, 19 Dec 2019 12:54:52 GMT

Without an actual support ticket details, I cannot provide you an alternative view on your ISP support process. Feel free to reach out to me offline with the actual support information.

Concerning "the known bugs", the only infoI can find that would sound like your case is this:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solutionid=sk141953

It is rather old, and there is a fix available through regular support. Mind, it is only relevant for a specific firmware version.