Thread Info
  • State Suggested Answer
  • Locked Locked
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 27 subscribers
  • Views 7043 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Looking for assistance with a website that fails url exceptions

rfcat_vk

Hi,

I have spent most of the day being frustrated by a couple of websites. Had the same issue with one of the websites when using the UTM and cannot recall what I did to overcome the issue.

The site is my wife' favourite forum (home town). Works okay if Safari in my option but my wife says otherwise. When I implement https scanning on her firewall rule and using Firefox the site throws up errors about certificates. So Does FF connecting to Google. FF fails to accept the imported certificates. Google fixed with https exceptions.

The site in question is www.idnes.cz. The issue being when the site loads the last action is to remove formatting. If I clear the FF cache I get the first page loaded successfully but the next page fails. I have tried following the pages being loaded while watching Safari load and e=added the sites the  exception list, no joy.

my regex ^([A-Za-z0-9-.]*\)idnes\.cz stops the certificate error but not the format error. Now if I use ^([A-Za-z0-9-.]*\.cz) everything loads correctly but that is just plain stupid because there is not scanning of any cz sites. Trying to debug this using XG logs is just plain painful.

So how do I track the website that is causing the format error, any suggestions?

 

Thank you Ian



This thread was automatically locked due to age.
Parents
  • 0

    Instead of importing a CA in the Web Browser, import it via MMC on Windows or Keychain on OSX.

    Install the Certificate in the local machine’s Trusted Root Authority container

    Windows

    1. Open the Microsoft Management Console by typing "MMC" in the "Run" box.
    2. Open Add or Remove Snap-ins by selecting FILE > ADD/REMOVE SNAP-IN...
    3. Select Certificates from the list and click Add to display the Certificates Snap-in window.
    4. Select the Computer Account and click Next.
    5. Click Finish and close the list of snap-ins.
    6. Click OK to add the certificates snap-in, which should now be visible in the Add/Remove Snap-ins window.
    7. Expand the list of certificate containers, right click Trusted Root Authorities and choose All Tasks > Import to start Certificate Import Wizard.
    8. Import the Certificate downloaded in step 2 using this wizard.

    Macintosh

    1. Download the SSL CA Certificate as shown in step 1.
    2. Once downloaded, double-click the Certificate. This launches Keychain Access and displays a Certificate Not Trusted warning.
    3. Click Always Trust to import the certificate into Login Keychain.

    Thanks,

  • 0 in reply to sachingurung

    Hi Sachin,

    maybe I didn't make my issue very clear. On a MAC the CA is installed in the keychains and Safari has no issue with the exceptions. Still on a MAC Firefox installs the CA, but does not recognise all the exceptions and kills the page formatting at the end of the page download.

    Ian

  • 0 in reply to rfcat_vk

    Hey Ian,

     

    Not a fix but what happens if you add that site to a Firewall Rule that has no scanning etc on it and place it towards the top of the list?

    I have a bunch of sites similar to yours that Exceptions don't really fix it and I need to create a bypass from any App Filters, Web Filters IPS etc.

     

    I have one thats killed by the app policy - then I go through that app policy one by one and remove each section and the site is still blocked with all categories gone.

    Too hard to work out and the log files are still crap - bypass with a FW Rule to skip it.

  • 0 in reply to M8ey

    Hi M8ey.

    well this is a long story which I will try to abbreviate.

    1/. took your suggestion and put a rule with specific site and no scanning.

    2/. FF on MAC and IE on W10 still got upset, but the rule based lots of traffic.

    3/. fiddles with lots of settings on both FF and IE, no avail.

    4/. tried creating a IPv6 rule using FQDN hosts and FQDN host groups, no such function.

    5/. turned off https scanning on my MAC (IP4) firewall rule (still had the new bypass rule at the top), big improvement. but not 100%

    6/. turned off scanning on the IPv6 rule and IE and FF are both happy.

    7/. turned https scanning on in both IP4 and IPv6 rules site broken again.

     

    Summary.

    1/. Even though I have a bypass rule at the top of the firewall list, functions within the lower rules still applied

    2/. IPv6 rules limited in functionality and not sure the https exceptions are accepted by the IPv6 rules?

    3/. having a bypass rule at the top did not work.

    4/. did not try just http scanning in the top rule to see if that overcame the previous issues. Something to do after lunch.

     

    Ian

  • 0 in reply to rfcat_vk

    Are you having fun yet? :-)

     

    If they are not hitting the rules above its not picking up the rule correctly?

     

    Did you use IP or Hostname? Wildcards?

    I don't use IPv6 but on IPv4 my rules work fine with hostnames and IP's and bypass OK.

     

     

     

Reply
  • 0 in reply to rfcat_vk

    Are you having fun yet? :-)

     

    If they are not hitting the rules above its not picking up the rule correctly?

     

    Did you use IP or Hostname? Wildcards?

    I don't use IPv6 but on IPv4 my rules work fine with hostnames and IP's and bypass OK.

     

     

     

Children
  • 0 in reply to M8ey

    The tests were hitting the rule because it was recording significant traffic. I was using FQDN Host group with a wildcard host.

    With url exceptions they seem to work in both IPv6 and IP4 based on success with having google and my weather station bypass scanning.

    Will try the rule at the top again but with http scanning only.

    Ian

     

    Further testing would indicate it is a timing issue, not sure where though. If a page fails to load correctly a couple of refreshes seems to fix it. Also the security issue when first connecting sometimes goes away if a page refresh is forced.

    Strange!!

  • 0 in reply to rfcat_vk

    I have turned off most web functions within the web tab and still not achieved consistent results. With https scanning disabled the site works perfectly except a large number of adverts make it past the policy.

    Ian

  • 0 in reply to rfcat_vk

    I let things settle overnight. On my wife's MAC (MBP) this morning FF displayed warnings about (www.idnes.cz) pages being slow to load, but eventually they loaded.

    So somewhere (on the XG I expect) I need to workout where to lengthen the timeout before contract decides the sessions are not related and blocks the connection.

    Ian

  • 0 in reply to rfcat_vk

    Do you have IPS enabled at all Ian?

    Also have you checked DNS servers - time out before moving to the second choice (maybe)

    grasping at straws here mate

  • 0 in reply to M8ey

    Thank you for the suggestions but I have found that straws are good for drinking cocktails with.

    Not an IPS issue, only shows up in FF on MAC with https scanning enabled. Also no increase in hits in the IPS report.

    DNS I don't think so, Safari on the same MACs works fine. I will just leave my wife's MAC on its own IP4 rule with no https scanning. When the site migrates to IPv6 then I will have to address the issue again.

    Ian

     

    Ping reports 359 ms regardless of 64/1024/2048 size packets. Traceroute has some very long responses in the middle sections of the trace.

  • 0 in reply to rfcat_vk

    Then enjoy those cocktails with my straws :-)

  • 0 in reply to M8ey

    Hi folks, 

    I didn't have to use the straws, but strong drink was beginning to look good.

    After some guidance and hints from Sachin (thank you) i have finally been able to get FF on my MAC to talk to Google and the idnes sites without exceptions in place.

    1/. Safari worked after following the advice on installing certificates in keychains.

    2/. FF would not connect.

    3/. W10 IE was failing

    This morning while investigating the W10 issue I found the certificate was installed incorrectly and not trusted. Installed correctly and trusted no more errors for google or idnes sites. So this got me thinking further about FF on MAC installation of CAs. Installed again, still fail. Deleted all the certificates I could find and re-installed still failure. Continued hunting and found another certificate that was trusted updated trust and removed all the other attempts and bingo all now works.

     

    Summary FF is a pain to install certificate in the correct place and then find it to update trust.

    Next challenge is my wife's MAC.[:O]

    Ian

  • 0 in reply to rfcat_vk

    Hi Ian,

    After reading your response, I recall a previous instance where I imported the certificates via Keychain in my MAC book but somehow I still received the invalid certificate error with Chrome or FF (I don't remember exactly) but no error with Safari. Later I decided to import the certificate via custom web browser settings and that somehow did the trick. 

    Not sure if that is a keychain issue because only the third party browsers are not updated with a proper CA.

    Thanks,

  • 0 in reply to sachingurung

    Hi Sachin,

    I investigated FF importation of CAs, at this stage FF does not import from keychains on a MAC but does a limited import from IE on a W10 (semi automatic with the current version). So there is hope for the future of one central CA registry on a MAC.

    Ian