XG FW - Some users have "Not Secure" notification in browser even though all sites are HTTPS

In your firewall rules do you have any of the boxes in the web settings ticked?

Ian

There are 3 levels of internet access. Each has their own web rule.  But this is the web filter settings: 

Hi,

that means you are using the web proxy not dpi.

ian

thank you for the reply,  ok, so enabling "use web proxy instead of DPI" will fix this?  The big question I have is why are only SOME users getting the issue? 95% of the BU is working without issues. 

Hi,

I wasn't able at the time to provide a full answer in my previous post.

If you tick any of the malware and content scanning the web proxy is used regardless of whether the use web proxy box is ticked or not.

There is a detailed instruction from Michael Dunn at the top of the forum.

Now do you setup up the users web browsers or do they fiddle, some might have enabled use proxy or detect proxy. Are all devices the same type hardware running the same software?

My W10 box using edge fails on some sites even though the CA is installed and I cannot see why.

Ian

We have a SOE build and most configuration settings are locked down and managed via GPO. They can't fiddle. 

We are using Edge though. Its a weird one and I am kind of losing it at this stage. :/  My team lead already asking if it was worth it switching from our old brand. 

I have to add, I had another issue on random endpoints where it would say "no Internet connection" on the network status icon in the task bar even though the endpoint has internet. This causes outlook and teams to not work. 

It has something to do with the background www.msftconnecttest.com query to check internet connectivity through ms. I have scoured the forum and found some info of people having similar problems but nothing fixed my issue. 

Sophos support also have not helped fix it. In fact still waiting for feedback almost 2 weeks later after they requested tcpdumps... "Enhanced Support"  

I ended up disabling Active Probing in the registry on these endpoints which seems to have fixed the issue. I hated doing this as I still have no clue what caused it...and its a work-around, not a fix.    

Pointing the DNS probe host from dns.msftncsi.com to our DC also works but can't do this for endpoints working off site and I'd rather not change this anyway.  

We use DELL for endpoints site-wide. The problem is occuring with various models, from old to brand new. 

We have a SOE build and most configuration settings are locked down and managed via GPO. They can't fiddle. 

We are using Edge though. Its a weird one and I am kind of losing it at this stage. :/  My team lead already asking if it was worth it switching from our old brand. 

I have to add, I had another issue on random endpoints where it would say "no Internet connection" on the network status icon in the task bar even though the endpoint has internet. This causes outlook and teams to not work. 

It has something to do with the background www.msftconnecttest.com query to check internet connectivity through ms. I have scoured the forum and found some info of people having similar problems but nothing fixed my issue. 

Sophos support also have not helped fix it. In fact still waiting for feedback almost 2 weeks later after they requested tcpdumps... "Enhanced Support"  

I ended up disabling Active Probing in the registry on these endpoints which seems to have fixed the issue. I hated doing this as I still have no clue what caused it...and its a work-around, not a fix.    

Pointing the DNS probe host from dns.msftncsi.com to our DC also works but can't do this for endpoints working off site and I'd rather not change this anyway.  

We use DELL for endpoints site-wide. The problem is occuring with various models, from old to brand new.