cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AlesD
Level 8
Report Inappropriate Content
Message 1 of 7

Disable CRL download

Hi,

We have web gateway deployed as an ICAP server in a restricted environment where we have only HTTPS enabled to internet to be able to download engine updates. But this has a bit issue when it comes to CRL downloads. Obviously as it's purpose is only as an ICAP server, we don't need any CRLs, but it seems that the appliance can't be stopped to attempt those downloads, and it's continuously retrying to access these lists.

Any idea how to stop those?

6 Replies
aloksard
McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 2 of 7

Re: Disable CRL download

Hi,

Hope you are doing well.

 

Configuration->Appliance-> Central Management->Automatic Engine Updates->CRL update interval , with this option you  can adjust the CRL update interval.

 

We can simply delete all the "CA lists" that exist on the MWG and restart, then MWG should not fetch any CRLs any longer.

 

Try removing the lists. The CRLs are not hardcoded in MWG or the update, MWG reads them from the list and then fetches them, with this if MWG has no CRL URLs to fetch it won't complain

 

Was my reply helpful? If you find this post useful, Please give it a Kudos! Also, Please don't forget to select "Accept as a solution" if this reply resolves your query!

 

Regards

Alok Sarda

AlesD
Level 8
Report Inappropriate Content
Message 3 of 7

Re: Disable CRL download

Thanks for the suggestion, but this didn't work. I've already changed the central management setting for CRL update to max(every 7 days) and deleted all lists related to CRLs from Policy -> Lists, but even after reboot when triggering the updates it still tries to reach the CRL servers.

fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 4 of 7

Re: Disable CRL download

Hello @AlesD 

have you also deleted Subscribed Lists > Certificate Authority > Known CAs ?

AlesD
Level 8
Report Inappropriate Content
Message 5 of 7

Re: Disable CRL download

Yes, that one was also removed, but still it tries to download them.

 

Ales.

fw_mon
Reliable Contributor
Reliable Contributor
Report Inappropriate Content
Message 6 of 7

Re: Disable CRL download

do you use any internal certificates (GUI, Cluster, etc.) with enabled CRL check? Where do you see that MWG try to download CRL? Is it only one CRL or many? Can you see a domain where a CRL downloaded from?

AlesD
Level 8
Report Inappropriate Content
Message 7 of 7

Re: Disable CRL download

No, we don't have there any internal certs. For GUI there's the default cert. and in cluster is self-signed cert. generated on the proxy. I've seen those attempts via CLI using tcpdump. It was attempting to connect to multiple domains, like the Known CA list was still in place, even after I've deleted that list and rebooted the appliance.

You Deserve an Award
Don't forget, when your helpful posts earn a kudos or get accepted as a solution you can unlock perks and badges. Those aren't the only badges, either. How many can you collect? Click here to learn more.

Community Help Hub

    New to the forums or need help finding your way around the forums? There's a whole hub of community resources to help you.

  • Find Forum FAQs
  • Learn How to Earn Badges
  • Ask for Help
Go to Community Help

Join the Community

    Thousands of customers use the McAfee Community for peer-to-peer and expert product support. Enjoy these benefits with a free membership:

  • Get helpful solutions from McAfee experts.
  • Stay connected to product conversations that matter to you.
  • Participate in product groups led by McAfee employees.
Join the Community
Join the Community