Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Tandishe
Explorer

SSL inspection policy - Validate CRL - known issue?

I have a Check Point 730 router with firewall.

 

We've had the router for over a year, and lately, the users have had issues connecting to sites with SSL certificates, up until the point where we could not connect to those sites at all.

I spoke to our ISP, and they said this is a known bug, and the workaround is to set "SSL inspection policy - Validate CRL" to "false".

 

Is this really a known bug? I could not find documentation about it anywhere.

If this is in fact a known bug, I would like to read about the progress of the issue. 

 

thanks

0 Kudos
3 Replies
_Val_
Admin
Admin

Not a good advice, I am afraid. You have HTTPS Inspection enabled on your appliance (it is not called a router, BTW, but a security appliance), and the box cannot get CRLs for whatever reason.

 

You have several options:

1. Disable HTTPS Inspection

2. Troubleshoot CRL retrieval issue (if you do not know how, reach out to Check Point support)

3. Do what your ISP is telling you. In this case, you risk accepting any of the revoked and invalid certificates, which is a security issue. 

0 Kudos
Tandishe
Explorer

So my contract with the ISP is such that they have all the admin access, not me.  Technically I'm renting my Checkpoint equipment and get zero support from checkpoint. I get support from my ISP, and they get support from checkpoint.

 

What I'm really looking for here is some sort of official documentation that shows that this is (or is not) a "known issue with a workaround". My ISP is claiming this is in the hands of Check Point and being looked into, and that the official advised workaround is to set that parameter to false.

However, my impression is that my ISP is shirking responsibility and can in fact properly help by actually looking into the issue instead of throwing on a bandaid that makes me more vulnerable.

0 Kudos
_Val_
Admin
Admin

Without an actual support ticket details, I cannot provide you an alternative view on your ISP support process. Feel free to reach out to me offline with the actual support information.

 

Concerning "the known bugs", the only infoI can find that would sound like your case is this:

https://supportcenter.checkpoint.com/supportcenter/portal?eventSubmit_doGoviewsolutiondetails=&solut...

It is rather old, and there is a fix available through regular support. Mind, it is only relevant for a specific firmware version.

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

Upcoming Events

    CheckMates Events