This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
Peter_Baumann
Contributor
‎2019-07-15 12:54 AM

Application for CRL downloads

Hello,
Here at the customer site the clients only have over the CP proxy access to the internet.
For SSL certificate revocation checks the clients are fetching CRL lists according the different certificates they using.

Now, it does not exist a "CRL Application" in the application control or any category for this.
As a workaround the customer is using a manual "CRL list" which is not a good solution for CRL fetching.

The only way seems to be to create a custom application for this, as example using the mime type of .crl here:
https://pki-tutorial.readthedocs.io/en/latest/mime.html

Matching mime types would be:

application/x-pkcs7-crl
application/pkix-crl

 I know about the possibility with the signature tool for custom application control or url filtering but this is not an option for the customer.

The question is now how are other check point admins doing the filtering for this?
Is there any feature available for CRL filtering from check point I don't know about it?

Maybe the above could be added in a future release, I have seen that other firewall-vendors are doing the same like above.

Thanks,
Peter

0 Kudos
3 Replies
PhoneBoy
Admin
Admin
‎2019-07-18 06:55 PM

Why isn't creating a custom application signature a valid solution for the customer?
0 Kudos
Peter_Baumann
Contributor
‎2019-07-22 12:43 AM
In response to PhoneBoy

Hi @PhoneBoy,
from the customer's view it is the time needed to get familar with the signature tool and the time to create the signature.
Also the question if the resulting signature is upgradeable and still usable when implemented.

The customer was asking why check point does not providing such an application already...
0 Kudos
PhoneBoy
Admin
Admin
‎2019-07-22 09:45 AM
In response to Peter_Baumann

I haven't heard of any situation where a customer-generated signature would not work in later versions.
That said, it's a fair point that we should probably have a built-in signature for this--will ask.

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events