Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Travis_Krings
Participant

HTTPS Inspection options to apply only to devices that trust CA

I've been doing some testing with HTTPS inspection using a sub-CA from our internal domain CA. I'm wondering if there are any methods to scoping the hosts you apply inspection to that I am missing in the documentation or elsewhere. From what I can tell you just have to use the source field with Access Roles, Networks, Hosts, etc. The issue with our environment and I'm sure many environments is that our subnets are not totally separated in ways that keep domain joined or managed devices separate from something that does not trust our CA. So just turning on HTTPS inspection for entire subnets is not really possible in our environment without causing issues.

I would be interested to hear what others have done to scope out their environments to only hit devices that are either on the domain or otherwise managed where the root certs can be pushed to them. At one point I seem to recall a VAR telling me that Check Point was going to have a way to do it by device type (Windows, Mobile, ETC) where you could scope that way, but I have never found anything like this.

Thanks!

0 Kudos
1 Reply
PhoneBoy
Admin
Admin

I would think a properly defined Access Role would be sufficient (one that only matches things where both a user and machine identity was acquired in Active Directory). 
Something defined similar to the following:

Screen Shot 2021-04-20 at 5.37.02 PM.png

Screen Shot 2021-04-20 at 5.36.47 PM.png

  

0 Kudos