Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
scanning https in firewall rule will block may websites , how could i exclude
eg : https://testcaselab.com/
first site fail because a security certificate issue at their end. Second site works fine.
Have you installed the XG certificate on your PC?
In reply to rfcat_vk:
installed certificate on my pc ,
how could i exclude this errors
In reply to kmmedical software:
you need to create web exceptions or you can create your own classifications for each site.
What features in the blocking rule are you using?
We are blocking gmail access except our company mail domain based on below link
after this policy applied https scanning blocking all untrusted https websites , we tried to exclude all the possibilities ( URL Group & categories ) nothing sort this issue.
We need to block gmail same time we need to access above category websites.
how many sites are you trying to exclude?
When you look at log viewer what entries do you see when you try to connect to the sites?
If you use regex to build the exclude entires that exception will apply to all rules where as if you create your own web policies you can add them to the appropriate firewall.
thank you , we fix the issue with web -- exception to exclude sites from https scanning & policy check
The XG may be more strict about the certificate checks that browser do by default.
For example, your browser may be happy to go to https://testcaselab.com when not using the proxy.
But when the proxy tries to do HTTPS inspection it finds a bad certificate. On the block page you can click "about this request"
If you want to know more, go to ssllabs.com and put in the domain.
In this case, ssllabs gave it an F for different reasons. However the also noted that the chain is incomplete (which is the reason that XG complained).
In reply to Michael Dunn:
thanks for the reply , will check & get back to you