Wondering about migrating to XG, but want to have reliable answers to these questions. Hoping the community can provide answers: Web Filtering with HTTPS inspection enabled Does XG ignore root certificates that are included (incorrectly) in the certificate chain supplied by a server? Does XG use AIA fetching to compensate for servers that (incorrectly) omit the intermediate certificate(s) in the download chain? How do I determine all of the sites that were blocked (yesterday, or selected time period) because of certificate problems? There seem to be three ways to check for certificate revocation: CRLs, OSCP, or Certificate Transparency. Which revocation checking methods are possible with XG? What revocation policy is enabled by default? How do I review and alter the protocols and ciphersuites used for browser-to-XG connections? For XG-to-server connections? Am I able to alter these? Do the logs let me know what ciphersuite was used for any particular connection? If a particular cipher is deprecated based on industry research, I want to know how my users’ connectivity will be affected if that mechanism is disabled. Does XG HTTPS inspection pass all of the tests at badssl . com ? Web Application Firewall, User Portal, Web Admin When an XG webserver function is configured with a commercial certificate, does XG always deliver a correct certificate chain – Intermediate certificates included, root certificates excluded? Thank you!

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Certificate validation questions for Web Filter and WAF

Wondering about migrating to XG, but want to have reliable answers to these questions. Hoping the community can provide answers:

Web Filtering with HTTPS inspection enabled

Does XG ignore root certificates that are included (incorrectly) in the certificate chain supplied by a server?
Does XG use AIA fetching to compensate for servers that (incorrectly) omit the intermediate certificate(s) in the download chain?
How do I determine all of the sites that were blocked (yesterday, or selected time period) because of certificate problems?
There seem to be three ways to check for certificate revocation: CRLs, OSCP, or Certificate Transparency. Which revocation checking methods are possible with XG? What revocation policy is enabled by default?
How do I review and alter the protocols and ciphersuites used for browser-to-XG connections? For XG-to-server connections? Am I able to alter these?
Do the logs let me know what ciphersuite was used for any particular connection? If a particular cipher is deprecated based on industry research, I want to know how my users’ connectivity will be affected if that mechanism is disabled.
Does XG HTTPS inspection pass all of the tests at badssl . com ?

Web Application Firewall, User Portal, Web Admin

When an XG webserver function is configured with a commercial certificate, does XG always deliver a correct certificate chain – Intermediate certificates included, root certificates excluded?

Thank you!

This thread was automatically locked due to age.