Sophos UTM 9 HTTPS Blocking Behaviour

What you want is not possible.

If you browser sends a query to server1, it will accept a reply from server1, but it will ignore an unsolicited response from server2.   If the browsers worked otherwise, we would be dealing with a bunch of different attack methods.

Http requires no authentication, so any device can claim to be server1 and send a reply.   UTM can display those block pages without any problems.

Https requires authentication, so blocking the traffic requires impersonation.   UTM generates the certificate to impersonate.  If the browser does not trust the certificate, it will display a certificate warning page or other error. You have limited options:

• Distribute the UTM CA Root so that UTM can impersonate successfully.
  
  
• Do not distribute the certificate, but teach your users that a certificate warning might mean that the page was blocked.  If they click through the warning, they will see the block method.  On the other hand, we also need to teach users to be wary of certificate warnings, as it could mean that they have been misdirected to a hostile site.
  
  
• Switch to XG, which has an option to drop the packet silently, which will cause the browser to display a timeout error after its wait timer expires.   If you are blocking Web Ads, as I do, I would expect silent block to create pernicious delays on many sites, delays that I expect users would find unacceptable.  I have not used XG, the option was discussed in another recent post asking similar questions.

What you want is not possible.

If you browser sends a query to server1, it will accept a reply from server1, but it will ignore an unsolicited response from server2.   If the browsers worked otherwise, we would be dealing with a bunch of different attack methods.

Http requires no authentication, so any device can claim to be server1 and send a reply.   UTM can display those block pages without any problems.

Https requires authentication, so blocking the traffic requires impersonation.   UTM generates the certificate to impersonate.  If the browser does not trust the certificate, it will display a certificate warning page or other error. You have limited options:

• Distribute the UTM CA Root so that UTM can impersonate successfully.
  
  
• Do not distribute the certificate, but teach your users that a certificate warning might mean that the page was blocked.  If they click through the warning, they will see the block method.  On the other hand, we also need to teach users to be wary of certificate warnings, as it could mean that they have been misdirected to a hostile site.
  
  
• Switch to XG, which has an option to drop the packet silently, which will cause the browser to display a timeout error after its wait timer expires.   If you are blocking Web Ads, as I do, I would expect silent block to create pernicious delays on many sites, delays that I expect users would find unacceptable.  I have not used XG, the option was discussed in another recent post asking similar questions.