Thread Info
  • State Not Answered
  • Locked Locked
  • Replies 5 replies
  • Subscribers 6 subscribers
  • Views 10309 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

HTTPS scan and decrypt

Jan Stasik

Hello Community...

I am trying to run HTTPS scan and decrypt feature on my UTM box in transparent mode. I've found a guide on Sophos webpages how to enable it and import certificate.  I am not able to make it running on iOS device. In logs I always see something like that:

“http” request=”(nil)” function=”read_request_headers” file=”request.c” line=”1586″ message=”Read error on the http handler 80 (Input/output error)”

I’ve checked to skip certificate checks under exception tab and also imported certificate from https://passthrough.fw-notify.net/cacert.pem into iOS devices but unfortunatelly without luck….so do you have any advices?

 

After some deeper investigations I've found that most of the stuff is not working after importing certificate and enabling HTTPS decrypt and scan…skype is not working, itunes, evernote, webex, etc… lot of content is simply blocked and not displayed…spending another day troubleshooting and it makes me nuts…I think…this UTM feature simply doesn’t work…or I am really LAME...

 

Can you help me please what am i doing wrong? As I mention, web protection is enabled in transparent mode and running UTM 9.5

 

Thank you.



This thread was automatically locked due to age.
Parents
  • 0

    Hi there,

    Yes indeed some online services aren't very compatible with MITM.
    Check a DPI setup with Skype exclusion on a FortiGate device: https://forum.fortinet.com/tm.aspx?m=115276

    You've got to make your researches for that. I'll advise for production to use the "Decrypt and scan the following:" and dig into the categories in there. For example, i'd remove the social network things and such.. Although in my main setup i'm using "Scan and decrypt" with no issues..

    Pay attention to one thing as well, you'd rather import the Sophos UTM proxy certificate onto the computer root certificates location. Not only the browser import. (Skype and other compiled crap are browser exempt).

    Let us know.

    Cheers,

    m-

Reply
  • 0

    Hi there,

    Yes indeed some online services aren't very compatible with MITM.
    Check a DPI setup with Skype exclusion on a FortiGate device: https://forum.fortinet.com/tm.aspx?m=115276

    You've got to make your researches for that. I'll advise for production to use the "Decrypt and scan the following:" and dig into the categories in there. For example, i'd remove the social network things and such.. Although in my main setup i'm using "Scan and decrypt" with no issues..

    Pay attention to one thing as well, you'd rather import the Sophos UTM proxy certificate onto the computer root certificates location. Not only the browser import. (Skype and other compiled crap are browser exempt).

    Let us know.

    Cheers,

    m-

Children
No Data