cancel
Showing results for 
Search instead for 
Did you mean: 
Create a Post
Highlighted

Application for CRL downloads

Hello,
Here at the customer site the clients only have over the CP proxy access to the internet.
For SSL certificate revocation checks the clients are fetching CRL lists according the different certificates they using.

Now, it does not exist a "CRL Application" in the application control or any category for this.
As a workaround the customer is using a manual "CRL list" which is not a good solution for CRL fetching.

The only way seems to be to create a custom application for this, as example using the mime type of .crl here:
https://pki-tutorial.readthedocs.io/en/latest/mime.html

Matching mime types would be:

application/x-pkcs7-crl
application/pkix-crl

 I know about the possibility with the signature tool for custom application control or url filtering but this is not an option for the customer.

The question is now how are other check point admins doing the filtering for this?
Is there any feature available for CRL filtering from check point I don't know about it?

Maybe the above could be added in a future release, I have seen that other firewall-vendors are doing the same like above.

Thanks,
Peter

0 Kudos
3 Replies
Admin
Admin

Re: Application for CRL downloads

Why isn't creating a custom application signature a valid solution for the customer?
0 Kudos

Re: Application for CRL downloads

Hi @PhoneBoy,
from the customer's view it is the time needed to get familar with the signature tool and the time to create the signature.
Also the question if the resulting signature is upgradeable and still usable when implemented.

The customer was asking why check point does not providing such an application already...
0 Kudos
Admin
Admin

Re: Application for CRL downloads

I haven't heard of any situation where a customer-generated signature would not work in later versions.
That said, it's a fair point that we should probably have a built-in signature for this--will ask.