Hi All
I've been using my XG210 now for a few years, but I've always had random issues with DPI/Web Filtering, around 10% or more of the time I have users who will see the self signed certificate wanting when going to a site they shouldn't be on then have to hot proceed and I accept the risk before the sophos blocked page shows up, sometimes it will just show up without the warning
I've come to realise this might be due to the Appliance certificate used that is deployed across the network's hostname is not the IP or hostname of the firewall.....
How can I change this? All of the places I've read is not clear, I have SSL vpn and sophos connect setup so I don't want to mess around d with the user certificates at all if I can avoid it...
Is there a way to update the common name or can someone point me in the right direction to regenerate a certificate for filtering/portal use
Hello MHSWA ,
Thank you for reaching out to the community, Under the Administration > Admin and user settings you'll be able to see the certificate used 
And for web-filtering you can find it under the web > general settings:
This certificates can be found under the following path:
Appliance cert - Certificates > Certificates > ApplianceCertificate
And for the SSL_CA it will be certificate > certificate authorities > SecurityAppliance_SSL_CA
Ensure your default cert is filled in properly with all the details with the correct hostname and the common name matching with the hostname under the Administration > Admin and user settings as a best practice.
To Regenerate a CA - https://docs.sophos.com/nsg/sophos-firewall/19.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Certificates/CertificateAuthorities/CertificateAuthorityRegenerate/index.html
Similarly you can also Regenerate appliance certificate.
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Technical Support, Global Customer Experience
Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
You'll have to regenerate the rest appliance and SSL_CA if you update the default CA !
SSL uses the server certificate under the SSL VPN Settings:
And as you know the legacy SSL client is declarerd EoL, you must be using the sophos connect client for connecting SSL VPN profiles right ? Or you are also using the IPsec remote access profile too ?
Thanks & Regards,
_______________________________________________________________
Vivek Jagad | Team Lead, Technical Support, Global Customer Experience
Log a Support Case | Sophos Service Guide
Best Practices – Support Case | Security Advisories
Compare Sophos next-gen Firewall | Fortune Favors the prepared
Sophos Community | Product Documentation | Sophos Techvids | SMS
If a post solves your question please use the 'Verify Answer' button.
Quote