scanning https in firewall rule will block may websites , how could i exclude
https://retail.axisbank.co.in/
This thread was automatically locked due to age.
Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.
scanning https in firewall rule will block may websites , how could i exclude
https://retail.axisbank.co.in/
Hi,
first site fail because a security certificate issue at their end. Second site works fine.
Have you installed the XG certificate on your PC?
Ian
XG115W - v20.0.3 MR-3 - Home
XG on VM 8 - v21 GA
If a post solves your question please use the 'Verify Answer' button.
Hi,
you need to create web exceptions or you can create your own classifications for each site.
What features in the blocking rule are you using?
Ian
XG115W - v20.0.3 MR-3 - Home
XG on VM 8 - v21 GA
If a post solves your question please use the 'Verify Answer' button.
Hi,
We are blocking gmail access except our company mail domain based on below link
https://community.sophos.com/kb/en-us/126532
after this policy applied https scanning blocking all untrusted https websites , we tried to exclude all the possibilities ( URL Group & categories ) nothing sort this issue.
We need to block gmail same time we need to access above category websites.
Hi,
how many sites are you trying to exclude?
When you look at log viewer what entries do you see when you try to connect to the sites?
If you use regex to build the exclude entires that exception will apply to all rules where as if you create your own web policies you can add them to the appropriate firewall.
Ian
XG115W - v20.0.3 MR-3 - Home
XG on VM 8 - v21 GA
If a post solves your question please use the 'Verify Answer' button.
The XG may be more strict about the certificate checks that browser do by default.
For example, your browser may be happy to go to https://testcaselab.com when not using the proxy.
But when the proxy tries to do HTTPS inspection it finds a bad certificate. On the block page you can click "about this request"
If you want to know more, go to ssllabs.com and put in the domain.
https://www.ssllabs.com/ssltest/analyze.html?d=testcaselab.com&s=151.236.222.141
In this case, ssllabs gave it an F for different reasons. However the also noted that the chain is incomplete (which is the reason that XG complained).
thanks for the reply , will check & get back to you