Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

[Web Filtering] Blocked or warning message protocol (HTTP or HTTPS)

Hi All,

 

I have just deployed Web Filtering Feature and I am experiencing inconsistent behavior when XG unit is generating Warning/Block messages for the user:

It doesn't matter if the website is http or https and the warning/block message shown to the user is randomly generated sometimes as http but other times as https. It is fine for managed devices as I can deploy the Sophos SSL CA root cert to them but when it comes to guest users they get certificate invalid warning message (obviously I can't deploy the cert to them as they are not managed devices).

Is there a way to force XG to generate warning/block messages as HTTP pages so guest users don't get any invalid certificate messages?

 

Many Thanks,

Mateusz Kordaszewski



This thread was automatically locked due to age.
  • Hi,

     

    The Block page is embedded into the data load of the proxy. So every http and https page is intercepted. 

     

    Is there a way to force XG to generate warning/block messages as HTTP pages so guest users don't get any invalid certificate messages?

    You should not scan HTTPs Traffic of your guest users. 

    Build a Authentication Rule with HTTPs Scanning for your internal users and a network based rule without https for your guest users.

     

    __________________________________________________________________________________________________________________

  • Hi ManBearPig,

    HTTPS scanning is not enabled on any of the rules (HTTP scanning is but it shouldn't matter, will confirm if disabling it makes any difference). This behavior is linked to web filtering policy.

    The other problem I've noticed with warning action is that after the user click proceed button on warning page, web filtering will break the content of the page(depending on site but it is pretty common (linkedin for example)

    Right now I am leaning towards not using warning "action" on web filtering policy at all and just block what should be blocked and allow everything else. This way I will not get rid of certificate warning issue for my guests but at least allowed pages will load correctly and users will only have invalid certificates warnings on really bad sites which they shouldn't visit anyway.

    Many thanks for your reply and will appreciate if you have any better idea,

    Mateusz