This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
EricAnderson
Participant
‎2022-09-27 09:43 AM

Multiple outbound HTTPS inspection certificates

I believe this was asked 3 years ago, but not properly answered (if at all).  I've asked a few folks as well, but nothing yet.

The desire is to have different certificates/CA's used on/by different gateways.  One example would be different locations with separate Active Directory domains.  Users at each location already have different trusted CA's and would ideally be presented with different trusted root CA's upon outbound inspection.

AFAIK there is only a single outbound inspection certificate (whether internal or imported) - installed on the SMS and deployed to GW's during access policy installation.

One [rather impractical] workaround could be to install policy to site A, re-import site B's certificate (scriptable in R81.20?), install policy to site B.  If R81.20's certificate scripting permits (as I've read), this could become fairly automated if we script all policy installation operations.  Somewhat ugly, but it may at least help better covey the goal.

Even more ideally (but likely more of an RFE), what about allowing multiple outbound certificates in the inspection policy?  The policy already allows for certificate selection - but only for inbound.  Allowing certificate selection in outbound inspection rules would allow for even greater flexibility, like using roles and dynamic objects in source - allowing members of different AD domains (and even non-member machines) to use different certs.  We can always dream 😉

Thanks,

-E

2 Replies
PhoneBoy
Admin
Admin
‎2022-09-27 09:48 AM

What we allow for outbound HTTPS inspection is a single CA to be used per management domain.
That ultimately signs all the outbound certificates generated for user connections.

That implies MDM is a potential workaround for this.
Like you point out, these operations in can potentially be automated in R81.20.
Otherwise having different Outbound CA certs for different gateways managed by the same management domain is an RFE.

0 Kudos
EricAnderson
Participant
‎2022-09-27 10:37 AM
In response to PhoneBoy

Thanks for confirming, bud.

Makes sense that MDM would work, but even more impractical than scripting in this case.

Thinking about the scripting more, it makes me wish "Before install Policy" was a SmartTask trigger 😉

Still curious if anyone else has any creative ideas, or even just has the same need/desire.

-E

0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events