scanning https blocking many websites

scanning https in firewall rule will block may websites , how could i exclude

eg : https://testcaselab.com/

https://retail.axisbank.co.in/

rfcat_vk
- 0
- 3 Dec 2018 6:52 AM
Hi,

first site fail because a security certificate issue at their end. Second site works fine.

Have you installed the XG certificate on your PC?

Ian
kmmedical software
- 0
- 3 Dec 2018 7:07 AM
In reply to rfcat_vk:

installed certificate on my pc ,

how could i exclude this errors
rfcat_vk
- 0
- 3 Dec 2018 7:11 AM
In reply to kmmedical software:

Hi,

you need to create web exceptions or you can create your own classifications for each site.

What features in the blocking rule are you using?

Ian
kmmedical software
- 0
- 3 Dec 2018 7:51 AM
In reply to rfcat_vk:

Hi,

We are blocking gmail access except our company mail domain based on below link

https://community.sophos.com/kb/en-us/126532

after this policy applied https scanning blocking all untrusted https websites , we tried to exclude all the possibilities ( URL Group & categories ) nothing sort this issue.

We need to block gmail same time we need to access above category websites.
rfcat_vk
- 0
- 3 Dec 2018 8:00 AM
In reply to kmmedical software:

Hi,

how many sites are you trying to exclude?

When you look at log viewer what entries do you see when you try to connect to the sites?

If you use regex to build the exclude entires that exception will apply to all rules where as if you create your own web policies you can add them to the appropriate firewall.

Ian
kmmedical software
- 0
- 3 Dec 2018 12:40 PM
In reply to rfcat_vk:

thank you , we fix the issue with web -- exception to exclude sites from https scanning & policy check
Michael Dunn
- 0
- 6 Dec 2018 8:01 PM
In reply to kmmedical software:

The XG may be more strict about the certificate checks that browser do by default.

For example, your browser may be happy to go to https://testcaselab.com when not using the proxy.

But when the proxy tries to do HTTPS inspection it finds a bad certificate. On the block page you can click "about this request"

URL:Â https://testcaselab.com/
- Certificate details:
  
  Valid From: Feb 11 18:09:03 2018 GMT
  
  Valid To: Feb 10 10:07:38 2020 GMT
  
  Serial Number: e4:fc:8c:20:40:28:4d:68
  
  Subject: OU=Domain Control Validated, CN=*.testcaselab.com
  
  Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com
  
  Inc./OU=certs.godaddy.com/.../CN=Go Daddy Secure Certificate Authority - G2
- SSL error: unable to get local issuer certificate
If you want to know more, go to ssllabs.com and put in the domain.

https://www.ssllabs.com/ssltest/analyze.html?d=testcaselab.com&s=151.236.222.141

In this case, ssllabs gave it an F for different reasons. However the also noted that the chain is incomplete (which is the reason that XG complained).
kmmedical software
- 0
- 7 Dec 2018 4:41 AM
In reply to Michael Dunn:

thanks for the reply , will check & get back to you

Have a cool product idea or improvement?

scanning https blocking many websites