Multiple outbound HTTPS inspection certificates

May the 4th (+4)
Roadmap Session and Use Cases for
Cloud Security, SASE, and Email Security

SASE Masters:
Deploying Harmony SASE for a 6,000-Strong Workforce
in a Single Weekend

Paradigm Shifts: Adventures Unleashed!
Capture Your Adventure for a Chance to WIN!

Join the Photo Contest!

Mastering Compliance
Unveiling the power of Compliance Blade

WATCH NOW

CPX 2024 Content
is Here!

Get What You Need

Harmony SaaS
The most advanced prevention
for SaaS-based threats

LEARN MORE

CheckMates Go:
CPX 2024 Recap

LISTEN NOW

Create a Post

I believe this was asked 3 years ago, but not properly answered (if at all). I've asked a few folks as well, but nothing yet.

The desire is to have different certificates/CA's used on/by different gateways. One example would be different locations with separate Active Directory domains. Users at each location already have different trusted CA's and would ideally be presented with different trusted root CA's upon outbound inspection.

AFAIK there is only a single outbound inspection certificate (whether internal or imported) - installed on the SMS and deployed to GW's during access policy installation.

One [rather impractical] workaround could be to install policy to site A, re-import site B's certificate (scriptable in R81.20?), install policy to site B. If R81.20's certificate scripting permits (as I've read), this could become fairly automated if we script all policy installation operations. Somewhat ugly, but it may at least help better covey the goal.

Even more ideally (but likely more of an RFE), what about allowing multiple outbound certificates in the inspection policy? The policy already allows for certificate selection - but only for inbound. Allowing certificate selection in outbound inspection rules would allow for even greater flexibility, like using roles and dynamic objects in source - allowing members of different AD domains (and even non-member machines) to use different certs. We can always dream 😉

Thanks,

-E