This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

scanning https blocking many websites

kmmedical software over 6 years ago

scanning https in firewall rule will block may websites , how could i exclude

eg : https://testcaselab.com/

https://retail.axisbank.co.in/

This thread was automatically locked due to age.

Parents

0 rfcat_vk over 6 years ago

Hi,

first site fail because a security certificate issue at their end. Second site works fine.

Have you installed the XG certificate on your PC?

Ian

XG115W - v20.0.3 MR-3 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 kmmedical software over 6 years ago in reply to rfcat_vk

installed certificate on my pc ,

how could i exclude this errors
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 6 years ago in reply to kmmedical software

Hi,

you need to create web exceptions or you can create your own classifications for each site.

What features in the blocking rule are you using?

Ian

XG115W - v20.0.3 MR-3 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 kmmedical software over 6 years ago in reply to rfcat_vk

Hi,

We are blocking gmail access except our company mail domain based on below link

https://community.sophos.com/kb/en-us/126532

after this policy applied https scanning blocking all untrusted https websites , we tried to exclude all the possibilities ( URL Group & categories ) nothing sort this issue.

We need to block gmail same time we need to access above category websites.
Cancel
Vote Up 0 Vote Down

Cancel
0 rfcat_vk over 6 years ago in reply to kmmedical software

Hi,

how many sites are you trying to exclude?

When you look at log viewer what entries do you see when you try to connect to the sites?

If you use regex to build the exclude entires that exception will apply to all rules where as if you create your own web policies you can add them to the appropriate firewall.

Ian

XG115W - v20.0.3 MR-3 - Home

XG on VM 8 - v21 GA

If a post solves your question please use the 'Verify Answer' button.
Cancel
Vote Up 0 Vote Down

Cancel
0 kmmedical software over 6 years ago in reply to rfcat_vk

thank you , we fix the issue with web -- exception to exclude sites from https scanning & policy check
Cancel
Vote Up 0 Vote Down

Cancel
0 Michael Dunn over 6 years ago in reply to kmmedical software
The XG may be more strict about the certificate checks that browser do by default.

For example, your browser may be happy to go to https://testcaselab.com when not using the proxy.

But when the proxy tries to do HTTPS inspection it finds a bad certificate. On the block page you can click "about this request"

URL:Â https://testcaselab.com/

Certificate details:

Valid From: Feb 11 18:09:03 2018 GMT

Valid To: Feb 10 10:07:38 2020 GMT

Serial Number: e4:fc:8c:20:40:28:4d:68

Subject: OU=Domain Control Validated, CN=*.testcaselab.com

Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com

Inc./OU=certs.godaddy.com/.../CN=Go Daddy Secure Certificate Authority - G2

SSL error: unable to get local issuer certificate

If you want to know more, go to ssllabs.com and put in the domain.

https://www.ssllabs.com/ssltest/analyze.html?d=testcaselab.com&s=151.236.222.141

In this case, ssllabs gave it an F for different reasons. However the also noted that the chain is incomplete (which is the reason that XG complained).
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 Michael Dunn over 6 years ago in reply to kmmedical software
The XG may be more strict about the certificate checks that browser do by default.

For example, your browser may be happy to go to https://testcaselab.com when not using the proxy.

But when the proxy tries to do HTTPS inspection it finds a bad certificate. On the block page you can click "about this request"

URL:Â https://testcaselab.com/

Certificate details:

Valid From: Feb 11 18:09:03 2018 GMT

Valid To: Feb 10 10:07:38 2020 GMT

Serial Number: e4:fc:8c:20:40:28:4d:68

Subject: OU=Domain Control Validated, CN=*.testcaselab.com

Issuer: C=US, ST=Arizona, L=Scottsdale, O=GoDaddy.com

Inc./OU=certs.godaddy.com/.../CN=Go Daddy Secure Certificate Authority - G2

SSL error: unable to get local issuer certificate

If you want to know more, go to ssllabs.com and put in the domain.

https://www.ssllabs.com/ssltest/analyze.html?d=testcaselab.com&s=151.236.222.141

In this case, ssllabs gave it an F for different reasons. However the also noted that the chain is incomplete (which is the reason that XG complained).
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 kmmedical software over 6 years ago in reply to Michael Dunn

thanks for the reply , will check & get back to you
Cancel
Vote Up 0 Vote Down

Cancel