decrypt and scan https is checked, and I installed the certificate to trusted root container, but no websites are working

Hi,

on FF you need to install the CAs in FF.

Ian

Did you mean Firefox?  I tried that, butI still can't get to Google, Yahoo, etc.  But I can get to Amazon, on Firefox only, nothing on the other browsers.

Hi,

yes, I meant firefox. IE needs the CA installed in its configuration.

Does your web -> general page look a bit like this?

Ian

OK.  I did import the CA into IE as well, but it still won't allow me to go to Google, etc.  

My web - general page does look exactly like that.  I downloaded this CA from the System - Certificates - Certificate Authorities, and its the certificate I have been importing into the browsers.

Can you show us a screenshot of your GPO / certificate page? 

Here is my certificates pages, is this what you were looking for?

I meant on the Client. And which did you import where? 

SecurityAppliance_SSL_CA is the one I downloaded from the XG firewall and saved, then imported that into IE, FF, and Chrome.

IE:

Chrome:

FF:

Windows:

Perfect, and if you enable https scanning for this computer, can you show us the error? 

Perfect, and if you enable https scanning for this computer, can you show us the error? 

Yes, here is the error that I get:

Any ideas yet?  I'm still trying to figure this out.

What about the certificate, when I download it from the XG, it is in the form of a .pem file.  In Chrome for example, on the certificate import wizard, when browsing for the file to import, I have just been selecting the option to show all files, then I select that .pem file.  The default is that it is looking for a .cer or .crt file.  I didn't think it mattered, but do you think maybe it doesn't like the .pem file?

My experience with importing CAs is that if the application doesn't like the CA it will not install it eg want cert but gets pem.

Ian

I am currently a little bit suprised about this error page. Would suggest your proxy module is broken? Do you have something in front of the XG? 

Because the certificate seems to be okay. This block page is just content which the XG gives in the HTTP data part. 

I just have a modem in front of it, configured to IP Passthrough mode.  

The block page says that "the content could not be scanned for malware, it may be corrupted or encrypted"

Could this mean that somehow the XG is unable to decrypt it, even though the certificate is in place?

If you use Decrypt and Scan for HTTPs, there will be 2 HTTPs tunnel. 

The first one is between XG and Client. The XG uses the CA from Webadmin for this one. 

The second tunnel is between XG WAN Interface and Internet. So basically most of the websites does not know, there is a HTTPs Proxy in the middle. 

This alerts means, something went wrong between XG and Internet. 

So would be assume, there is something wrong, if the XG build up a HTTPs connection to the internet. 

Do you use / configured a parent proxy (Upstream Proxy) under Routing? 

That error message should not be related to HTTPS scanning.  It is normally only used for times that a) the av engine returns an error to the web proxy or b) web proxy cannot talk to the av engine.

Under Backups and Firmware \ Pattern Updates, does "Avira AV" and "Sophos AV" show Success with dates from today?

Under System Services \ Services is Anti Virus running?

Under Web \ General Settings.  Are you using Single Engine or Dual, and if Single which one?

In Log Viewer, System, do you have anything that looks odd?

To follow up on the previous question, no, the upstream / parent proxy is not enabled.

When I look at the AV settings:

The Avira AV and Sophos AV do not show Success, they are just blank.

Under services, Yes, the Antivirus is running.

I'm using Single Engine.  The Single scan engine is set to "Sophos"

On Log Viewer, System, I have some messages about Failing to check for updates from "Up2Date" process. I also had message such as:

HTTPS access is denied due to invalid server certificate. Disable "Block invalid certificates" from "Web -> Protection -> HTTPS Decryption and Scanning" to access HTTPS site 'https://scribe.logs.roku.com/'

I notice that on the Web -> General Settings -> Malware and Content Scanning:  Action on Malware scan failure:   if I change it from "Block (best protection)" to "Allow"

the webpages load and I don't get the block page anymore.  But I guess this means I'm bypassing the scanning, so still need to fix the AV scan problem to get this working right.

I suspect the certificate stuff is not related and may resolve itself when the underlying problem is resolved.

I suspect the reason you cannot do web browsing is because of the AV Scanner.

I suspect the reason you cannot do AV Scanning is because you don't have valid AV signatures downloaded via up2date (u2d).

In Backup and Firmware, Pattern Updates.  Do you have Auto Update on?  What happens if you click Update Pattern Now?

What up2date errors appear in the log?

If you go into the XG command line (the bash shell) can you do

curl http://us-west-2.u2d.sophos.com/

Can you attach a file with the last....  lets say 500 lines of /log/u2d.log

Yes, Auto Update is on.  If I click Update Pattern Now, I get message:  "Failed to check for pattern updates".

The up2date errors on the log viewer all say "Failed to check for updates".  These are coming in every 2 hours.  I don't see any other messages for up2date.

 The curl.... command from the Device Console is not working. I keep getting error: unknown parameter "curl"