Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Suggested Answer
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 2279 views
  • Users 0 members are here
Options
Suggested

Bypass - The trust status of this website's certificate could not be securely established.

midnightSun

Good Eve.

Trying to connect to a network switch via https. 

Error page : The trust status of this website's certificate could not be securely established.

About this request

URL: https://somePublicIP   

  • Certificate details:
    • Valid From: Feb 19 03:51:01 2024 GMT
    • Valid To: Feb 18 03:51:01 2025 GMT
    • Serial Number: 57:60:17:61:a4:06:e2:5b:92:2b:95:5b:85:5f:62:1d
    • Subject: C= , ST= , L= , CN=192.168.0.2, O= , OU=
    • Issuer: C= , ST= , L= , CN=192.168.0.2, O= , OU=

Its a self signed cert the device created. I know it works and I'm the only IP that can connect via the other sides firewall rules. It works bypassing SFOS.

In SFOS

I've added the public IP to every place i can think of to allow the connection. 

I've created a URL group with the IP and added it to the policy.- I'm blocking urls with IPAddresses

I've added it to the Local TLS exclusion list 

I've created an web exception

I've created a SSL/TLS inspection rule exemption

I've run conntrack -F

What am I missing? At this point id expect SFOS to totally ignore the IP.

An old post talked about adding the devices Cert to SFOS but that would be impossible if you cant connect to it. Shouldn't SFOS be skipping its checks by now?

All help would be greatly appreciated.



Added TAGs
[edited by: Erick Jan at 3:08 AM (GMT -7) on 15 Apr 2024]
Parents
  • 0

    Firewall Logs show the connection is allowed. Doesn't show anything is blocked. 

    2024-04-12 22:54:26Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="12" fw_rule_id="12" fw_rule_name="#3 g33 outbound" fw_rule_section="Local rule" nat_rule_id="4" nat_rule_name="#3 g33 outbound" policy_type="1" sdwan_profile_id_request="0" sdwan_profile_name_request="" sdwan_profile_id_reply="0" sdwan_profile_name_reply="" gw_id_request="1" gw_name_request="Port3_Inno_GW" gw_id_reply="0" gw_name_reply="" sdwan_route_id_request="0" sdwan_route_name_request="" sdwan_route_id_reply="0" sdwan_route_name_reply="" user="" user_group="" web_policy_id="13" ips_policy_id="2" appfilter_policy_id="8" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="Port1" out_interface="" out_display_interface="" src_mac="F4:6D:04:E3:26:D8" dst_mac="AC:1F:6B:C9:9F:42" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="xxx.xxx.xxx.xxx" dst_country="USA" protocol="TCP" src_port="51979" dst_port="443" packets_sent="27" packets_received="62" bytes_sent="3644" bytes_received="82040" src_trans_ip="" src_trans_port="0" dst_trans_ip="xxx.xxx.xxx.xxx" dst_trans_port="3128" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1150351435" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0" log_occurrence="1" flags="0" web_policy="Company Users"

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to midnightSun

    Where is the switch located? Most switches are internal and would have a private IP.

    Ian

    XG115W - v20.0.1 MR-1 - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Correct. In our NOC a port forward allows my IP to connect to its internal IP. 

    My local IP - out SFOS wan  <--> NOC wan  -  Switch local IP

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

Reply
  • 0 in reply to rfcat_vk

    Correct. In our NOC a port forward allows my IP to connect to its internal IP. 

    My local IP - out SFOS wan  <--> NOC wan  -  Switch local IP

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

Children
No Data
Unfiltered HTML