NET::ERR_CERT_AUTHORITY_INVALID

Question

Sophos XG Firewall. 
 - Firmware version: SFOS 17.1.4 MR-4 
 - direct proxy in gateway mode 
 - Decrypt and Scan HTTPS option is disabled 
 - system application_classification microapp-discovery off 
 - and clear the browser's cache. 
 - restart Tomcat service from XG advanced shell: 
 - service tomcat:restart -dsnosync 
 As far as I can find, this issue was reported around a year ago or so. I've tried all the above suggestions that I've found in the forums. Still I get the Cert error when I enable the default web policy. 
 This issue was not present when I first built the firewall about 4 months ago, but did appear about one month ago. 
 Any other suggestions that I haven't found yet? 
 Thanks, Scott.

Aditya Patel · Accepted Answer

Hi Scott, 
 I have checked the configuration as per the policy and the URL is set to be blocked. The reason is the HTTPS connection was attempted and was blocked. The blocked message or captive portal was meant to be shown but your device does not recognize the certificate. In my machine, I have already imported the certificate and was able to view the message without restriction. This applies to chrome and edge as they share the same certificate library. Firefox can be dealt with by importing the certificate manually. 
 On the browser where you get the certificate error, if you click on advance you should receive the same page captive portal/blocked message. Please refer this KBA to import this certificate otherwise you can upload your own certificate used in web proxy and use that in your organization. In my case, I have used ADS to push the certificate through GPO.

Aditya Patel · Answer

Hello Scott, 
 Have a few follow-up questions on this issue. Could you please provide more information on this issue? 
 
 Please share the screenshot of the issue ? Since you have restarted the Tomcat services which have no relation with the Web filter policy. We would like to determine if the certificate error was encountred while accessing the GUI or a website. 
 When you receive the certificate error page, what the certificate issued to you ? 
 Could you please share with use the firewall rule you have configured for your systems? Please check the log viewer if there is any drop on IPS/Application filter. 
 By default " system application_classification microapp-discovery " should be off unless turned on manually.

FloSupport · Answer

Hi Scott, 
 Yes, you are correct. Removing that category should allow the site to be accessed without warning. 
 Also regarding Chrome allowing the site while IE & Edge do not - is probably related to the QUIC protocol . In your firewall rule, please enable the setting to "Block Google QUIC". 
 Regards,