Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Stop! This website is blocked

Hello everyone, 

Recently i noticed a bunch of tickets regarding the following.

i want to go on facebook, but facebook is blocked.

instead of the blocked page i get Error code: SEC_ERROR_UNKNOWN_ISSUER(firefox) or NET::ERR_CERT_AUTHORITY_INVALID(chrome)

it works fine if i install the sophos certificate.

I understand that the certificate must be pushed to end devices,  however i can not ask guest users to install the sophos certificate. 

I also understand that that this can be secured with a public cert.

This seems so random, as for some customers works just fine, but for others not.


I can not ask 200+ customers to buy a certificate to display a blocked page on guest networks. 

Can anyone advise?

Kind regards,

Dragos



This thread was automatically locked due to age.
  • Hello Dragon,

    If you want to use facebook.com website then you have to check that in which category this URL belongs to by selecting option (URL category lookup) in Diagnostics .

    Also you will have to create a web policy to access website which you want by selecting particular users or network.

    I hope this will help you !

    Kind regards,

    Vaibhav 

  • Hi,

    I dont want to access facebook. i want to see the blocked page instead of a certtificate error

  • Please make up your mind, original post says you want to go to facebook, the next reply says you don’t.

    if you are seeing a certificate error means you have your security wrong, if you want to block Facebook you need a rule that blocks access at network level eg Facebook fqdn in destination network in a block firewall rule at the top of your list.

    ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Technically speaking -  that's impossible.

    If a block page appears while accessing "facebook.com" this page will displayed under the URL "facebook.com".

    But you won't get a valid certificate for the domain "facebook.com" for obvious reasons.

    If you import the sophos firewall CA, it will happily create and sign such a certificate "on the fly", but it is trusted only for those clients that have the sophos ca set as trusted - not your guests. Not saying it will working in all cases - there are mechanisms like cert pinning which will even this cert mark as falsification (it has the wrong issuer and wrong hash) but it works in most cases today.

    For guests you have the option to modify the built-in domain "passthrough.fw-notify.net" to something like "passthrough.<your company>.com" for which you may get (and probably even have) a wildcard certificate "*.<your company>.com". Note that there is also "passthrough6" for IPv6.

    This however dose not solve the redirecting from "facebook.com" to "passthrough.fw-notify.net".

  • Please note that passthrough.fw-notify.net is for the Sophos SG / UTM and not for Sophos XG.

    When a user is blocked going to an HTTPS  site by category there are two options:
    1) We could decrypt the HTTPS and display a block page.  If they do not have the CA they will get a browser warning.
    2) We could drop the connection.  The browser will display an error saying cannot connect

    You can configure the behavior under Web > General Settings > 
    For errors and block/warn policy actions on HTTPS connections when Decrypt & Scan is disabled.

  • Hi Michael and Alan,

    Myself, i understand the reasoning behind this, yet is very hard to explain a lot of customers what happens, as i see an influx of tickets regarding this.

    Many thanks for your prompt and on point answers.

  • One of the things I have found to be useful is to describe on their terms.

    HTTPS was designed to be secure. The people who made the standard and the people who create the browsers intend it to display warnings to make sure the end user is aware that the site they want to go to is not the site that is displaying the page. They want end users to know that even though they went to facebook.com and that is what is on their address bar, the block page they are seeing is not from facebook.com.

    If you went to a coffee shop and used their free WiFi, you could then access your bank via HTTPS and know that the coffee shop is not stealing your banking information. Even if the coffee shop used an XG, they could not interfere with your connection to the bank without you knowing it. The safety that is provided by the browsers by throwing up a warning is a good thing that protects you as an end user - even if it is annoying for you as an administrator.

  • Usually you want to complety block out your customers/guests from your company network.

    You can create seperate vlans as example for guest wifi and excluce it in the SSL/TLS Inspections rules under "rules and policies".

    Sure you dont have them protected then over you sophos, but that should be not your concern in first place.

  • It is his responsibility to ensure the integrity of his network.

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Hi,

    So managed to get things moving forward. 

    i have my guest vlan. and this has a basic web policy. Anybody is not allowed certain categories. 

    I managed to test with a public certificate, and i dont think this will do the trick. 

    The firewall page is secured, user portal is secured but, yet the blocked page is asking for Sophs SSL_CA.



    Next i will look into modifing the built in domain as Alan suggested. 

    "For guests you have the option to modify the built-in domain "passthrough.fw-notify.net" to something like "passthrough.<your company>.com" for which you may get (and probably even have) a wildcard certificate "*.<your company>.com". Note that there is also "passthrough6" for IPv6."

    Many thanks for your help.