I have a question regarding the Trusted CAs List on a Security Gateway running HTTPS inspection.
I have encountered, in some rare cases, where a legitimate website with a legitimate CA-issued certificate will show as a Cert Error for our users. When this happened, the logs in Logs & Monitoring would show "Untrusted Certificate." Previously, I was fixing this by bypassing inspection for that domain.. but I have very recently come to realize the TRUE root cause is because the website's issuing CA is not present in our gateway's 'Trusted CAs' list. Ah ha, a root cause finally found.
So.. anyway now on to my actual questions:
1. Is it the best practice from Check Point to toggle this setting in SmartDashboard Trusted CAs to "download and install updates automatically?" I'm assuming this is the recommendation now, but thought I would ask.
2. I have read some OLDER posts on here that after installing an updated Trusted CAs list, you still have to install policy to the gateway. Is that still true? (In R81.20?) sk173629 mentions installing policy to the gateways after making the settings change, but it doesn't mention installing policy upon subsequent updates?