web proxy certificate

Hello.  I assume you're not using decrypt & scan?  The webpage they're getting the certificate warning on (stats.g.doubleclick.net by the looks of it).....what does it show in the web filtering logs for this url?  Likely you are seeing the untrusted certificate page because the UTM is trying to display a web filtering block page to the end user.  The web filtering block page is HTTPS and uses the certificate installed (or the default certificate) for web filtering.  

Tim

Hi Tim,

Thank you for your reply and sorry for late reply,

you are right we are not using decrypt and scan.

I did check the web filtering logs and see this:

2019:01:21-16:15:48 securitysrv1-1 httpproxy[32097]: id="0071" severity="info" sys="SecureWeb" sub="http" name="web request warned, forbidden category detected" action="warn" method="CONNECT" srcip="10.0.10.240" dstip="" user="" group="" ad_domain="" statuscode="403" cached="0" profile="REF_DefaultHTTPProfile (Default Web Filter Profile)" filteraction="REF_DefaultHTTPCFFAction (Default content filter action)" size="0" request="0xdbca6a00" url="https://stats.g.doubleclick.net/" referer="" error="" authtime="0" dnstime="0" cattime="84" avscantime="0" fullreqtime="228338" device="0" auth="0" ua="" exceptions="" reason="category" category="154" reputation="neutral" categoryname="Web Ads"

What I dont understand is who is the stats.g.doubleclick.net? we dont even try to open that url so why woyld the utm block this url?

Thanks

"stats.g.doubleclick.net Is one of DoubleClick subdomains used for loading tracking pixels or as an alternative for loading Google Analytics, collecting statistics and data that google uses to analyze and display advertisments."

It would appear this URL is used for advertisement or marketing purposes.  Many websites use this URL, it gets accessed in the background automatically.  This is the reason why you're getting the invalid certificate.  The UTM is trying to display the block page showing this URL as being blocked and because your browser doesn't trust the UTM's self signed certificate when it attempts to present it in order to present the block page.  

You can either deploy the certificate to endpoints, create an exception to allow this URL, or continue to block it as is, it's up to you how you want to proceed.  

Tim

Hi Tim,

Thanks for your reply,

We have an application that when opened, it display a website as its start page. The website that displays is owned by the customer that use the the application so we trust that website.

If I understood you correctly my browser dont show me the default warning page of the Sophos becuase I dont have the UTM cert on my PC, am I right?

What I dont understand is why we suddenly  getting this warning?

Thanks

Update,

This time I get the same Warning but this time for this URL:

googleads.g.doubleclick.net

You are correct.  Your browser is giving you the untrusted certificate warning because you do not have the root CA installed on your PC.  I really can't tell you why a user wouldn't be getting the warning page, you would have to look at your web filtering logs to first determine if there's any reason why they should be getting the warning.  If you're on a domain, I would recommend that you simply push the CA certificate out via a GPO, this will solved your issue.

Tim