XG (SFOS 16.01.2) HTTPS scanning disabled but XG still uses Sophos CA for block pages on HTTPS Sites

Question

This is very odd. I have HTTPS scanning disabled and have even created an exception for my IP for all HTTPS scanning. However, when going to an HTTPS site that is blocked (facebook.com for example), it is using the Sophos CA for the block page, which does not work on the endpoint, because it does not nor can have the Sophos CA installed as a trusted CA. Why does XG use the Sophos CA as the root for blocked pages if I have HTTPS inspection turned off? If I go to an HTTPS site that is NOT blocked, it works fine and it is NOT using the Sophos CA...just blocked pages are getting the "Certificate cannot be trusted" and show Sophos as the root CA in the certificate: 
 Here are some pictures: 
 Facebook is blocked, but we are getting this instead of a blocked page: 
 
 Here is the certificate...Sophos CA?!?! 
 
 Here are my settings for HTTPS inspection: 
 
 Here is an allowed HTTPS page (google) with the certificate...notice Sophos is NOT the CA:

Michael Dunn · Accepted Answer

First, lets ignore authentication and just deal with HTTPS decryption. If you go to a website that is blocked, you it will force HTTPS decryption on and serve a block page using the CA. For a block there are really only two technical things we can do: - Drop the connection with no reply so the browser just fails - Break into the SSL encryption (which means forcing in our own CA) There really is no other option. There is no possible way for us to even send a 403 response back without decrypting the SSL. The UTM and XG behave exactly the same. AFAIK all our competitors do as well. We don't currently have the option to just drop the connection, but if it a heavily requested feature we can look into it. In this thread, the microap-discovery is a red herring (a unrelated distraction). There was a problem fixed in 16.05 MR4 that was regarding whether port 443 traffic was sent to the proxy if the services were not configured to do so. Even in pre MR4 it wouldn't affect this. Now for authentication, there are difference between UTM and XG, and also between standard and transparent mode. I'm not sure I understand the issue with SSL/CA and captive portal. Can you please explain?

lferrara · Answer

Hi All, 
 I did this test on MR6 with this option: 
 
 Captive portal

Firewall rule

Captive Portal page is displayed in HTTP and the page google.com or facebook.com are using their own CA. 
 
 Regards

sachingurung · Answer

Hi Rick, 
 I think you have micro-app discovery defined in the Application Filter policy, which will decrypt the HTTPS-based Web Application and throw the certificate error. Uncheck the micro-app option in the Application-Policy and clear the browsers cache. 
 Any help with that?

Aditya Patel · Answer

HI RickDunsirn , 
 If you did not enable Malware scanning on HTTPS and also Application filter then you may go console and type the command 
 Console> system application_classification microapp-discovery off 
 If you wish to use micro app discovery then you would need to install SSL CA certificate onto your systems and enable the option again instead of off. 
 
 Thanks and Regards 
 Aditya Patel | Sophos Network and Security Engineer.