Why do I get Certificate Errors on Blocked Categories on XG v18?

Hi MrMojoRisin76,

Thank you for reaching out to the Community! 

If you want to see the block page presented to users when they try to access the restricted website category, you have to install the Firewall's SSL CA Certificate on your local machines. 

Check out the following KB Articles:

•  Sophos XG Firewall: SSL CA certificate installation guide
• HTTPS Decrypt and Scan FAQ

Thanks,

They're seeing the page, however the cert is showing as invalid or unsecure.

I have downloaded and distributed the sophos cert to my AD clients via group policy. I see the cert in the trusted root store on my clients. They still see a cert error when the browsing policy blocks sites.  I don't know why this is.

Same, Browsing to the admin and or user portal works fine though.

Now on Sophos XG v18 you have two different Certificates Authority; One that is used by default for the new DPI Engine, and another which is the Appliance Certificate. (Which has primarily used for HTTPS Decrypt with the Web Proxy.)

When a connection gets blocked, the firewall will redirect the client to itself over Port 8090, but in this connection by default It uses the Appliance Certificate which is different from a different CA you imported to your users; << This is why your users get a certificate error.

There's two ways to fix this, the first one is to generate a new Certificate using the new CA that is used for the DPI Engine - and use this certificate for the Firewall WebUI.

Another one is to get a certificate which is public signed, you can get It from your domain register (If you pay) or generate one through Let's Encrypt, and then use this certificate for the Firewall WebUI.

Or at last, you can change the DPI Engine to use the Appliance Certificate Authority, and then re-import the CA to the machines.

Thanks!

Ok. Where do you go to set the Firewall WebUI cert or change the DPI Engine to use the appliance cert?  I mean, it looks like it's using the self-signed cert I already did. I can check the properties of it and it shows the device IP.

let's say I want to employ the first solution using my onsite CA. Is there a how to video on this? I can create a cert request in IIS and submit this to my CA, then I export the cert and apply it how?

The easiest way is to change de DPI Engine to use the Appliance Certificate, you can do that by going to the SSL/TLS Inspection part, inside the Firewall tab, click on "SSL/TLS inspection settings" and in there you will have both options of "Re-sign RSA with" and "Re-sign EC with", in both of them you can change to the default CA, just be aware you will have to import the new CA to the users machines.

Well, I just found out It still isn't possible on v18 MR3 to do this by the WebUI(Awesome...), please check the answer I made for MrMojoRisin76.

By default it's already set to "Default CA"...... only thing I can change to is "SecurityAppliance_SSL_Cert"