HTTPS Decrypt and Scan Encountering Warning Pages

The message means: The Firewall can#t check the Server-identity.
This is not a problem from SSL-decryption certificate at the client.
Check the webserver, there must be an issue with the SSL-Server certificate.
I use https://testtls.com or www.ssllabs.com/.../ for this.

You may post the server-url here.

Hi Dirk,

We pushed the appliance certificate (SecurityAppliance_SSL_CA) located under Certificates > Certificate Authorities. This same certificate is set under Web > General Settings > HTTPS scanning certificate authority (CA) to be used as the designated CA.

Devices with the certificate above worked mostly, and those without the certificate got blocks on every page. Those with the certificate only got blocks on certain pages, or using certain services.

As soon as we turned Packet Inspection off, the site was accessible as before Packet Inspection was enabled. There aren't any other firewall rules in use that would supersede this one with Decrypt HTTPS during web proxy filtering checked, so I'm at a loss as to what would cause this.

Hi Dirk,

We pushed the appliance certificate (SecurityAppliance_SSL_CA) located under Certificates > Certificate Authorities. This same certificate is set under Web > General Settings > HTTPS scanning certificate authority (CA) to be used as the designated CA.

Devices with the certificate above worked mostly, and those without the certificate got blocks on every page. Those with the certificate only got blocks on certain pages, or using certain services.

As soon as we turned Packet Inspection off, the site was accessible as before Packet Inspection was enabled. There aren't any other firewall rules in use that would supersede this one with Decrypt HTTPS during web proxy filtering checked, so I'm at a loss as to what would cause this.

Hi,

some sites do not like inspections eg Apple, so you have an exception list, there is one provided by Sophos and then you can create your own. If the site must be inspected then you need to look at the web proxy.

Michael Dunn's explanation

Ian

Hi Ian,

Thanks for the reference. I did find that article, that but perhaps I missed something. Can you clarify where this list is, how we enable or include it in our configuration? Can we then add to this list, or use multiple lists?

Can you also clarify what you mean by looking at the web proxy in the latter half of your post?

Hi,

the list is in GUI -> Profiles -> Decryption.

The list is used automatically by the default SSL/TLS rule and is not user editable. You can create your own for use with your SSL/TLS rules.

If you want to ensure a site is scanned you use the WEB Proxy assuming the ports you want scanned are web ports. Again not all sites work correctly with scanning, Apple being one.

Ian

I would expect that these few websites use CA's that the XG does not come shipped with.

So from time to time it's required to add some CA's to the certificate store of the XG.

Check the cert chain with the tools mentioned

dirkkotte said:

I use https://testtls.com or www.ssllabs.com/.../ for this.

and search the certificate store for them.