We have web gateway deployed as an ICAP server in a restricted environment where we have only HTTPS enabled to internet to be able to download engine updates. But this has a bit issue when it comes to CRL downloads. Obviously as it's purpose is only as an ICAP server, we don't need any CRLs, but it seems that the appliance can't be stopped to attempt those downloads, and it's continuously retrying to access these lists.
Any idea how to stop those?
Hope you are doing well.
Configuration->Appliance-> Central Management->Automatic Engine Updates->CRL update interval , with this option you can adjust the CRL update interval.
We can simply delete all the "CA lists" that exist on the MWG and restart, then MWG should not fetch any CRLs any longer.
Try removing the lists. The CRLs are not hardcoded in MWG or the update, MWG reads them from the list and then fetches them, with this if MWG has no CRL URLs to fetch it won't complain
Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!
Thanks for the suggestion, but this didn't work. I've already changed the central management setting for CRL update to max(every 7 days) and deleted all lists related to CRLs from Policy -> Lists, but even after reboot when triggering the updates it still tries to reach the CRL servers.
do you use any internal certificates (GUI, Cluster, etc.) with enabled CRL check? Where do you see that MWG try to download CRL? Is it only one CRL or many? Can you see a domain where a CRL downloaded from?
No, we don't have there any internal certs. For GUI there's the default cert. and in cluster is self-signed cert. generated on the proxy. I've seen those attempts via CLI using tcpdump. It was attempting to connect to multiple domains, like the Known CA list was still in place, even after I've deleted that list and rebooted the appliance.