Thread Info
  • State Suggested Answer
  • Replies 14 replies
  • Answers 1 answer
  • Subscribers 41 subscribers
  • Views 1210 views
  • Users 0 members are here
Options
Suggested

Bypass - The trust status of this website's certificate could not be securely established.

midnightSun

Good Eve.

Trying to connect to a network switch via https. 

Error page : The trust status of this website's certificate could not be securely established.

About this request

URL: https://somePublicIP   

  • Certificate details:
    • Valid From: Feb 19 03:51:01 2024 GMT
    • Valid To: Feb 18 03:51:01 2025 GMT
    • Serial Number: 57:60:17:61:a4:06:e2:5b:92:2b:95:5b:85:5f:62:1d
    • Subject: C= , ST= , L= , CN=192.168.0.2, O= , OU=
    • Issuer: C= , ST= , L= , CN=192.168.0.2, O= , OU=

Its a self signed cert the device created. I know it works and I'm the only IP that can connect via the other sides firewall rules. It works bypassing SFOS.

In SFOS

I've added the public IP to every place i can think of to allow the connection. 

I've created a URL group with the IP and added it to the policy.- I'm blocking urls with IPAddresses

I've added it to the Local TLS exclusion list 

I've created an web exception

I've created a SSL/TLS inspection rule exemption

I've run conntrack -F

What am I missing? At this point id expect SFOS to totally ignore the IP.

An old post talked about adding the devices Cert to SFOS but that would be impossible if you cant connect to it. Shouldn't SFOS be skipping its checks by now?

All help would be greatly appreciated.



Added TAGs
[edited by: Erick Jan at 3:08 AM (GMT -7) on 15 Apr 2024]
Parents
  • 0

    Firewall Logs show the connection is allowed. Doesn't show anything is blocked. 

    2024-04-12 22:54:26Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="12" fw_rule_id="12" fw_rule_name="#3 g33 outbound" fw_rule_section="Local rule" nat_rule_id="4" nat_rule_name="#3 g33 outbound" policy_type="1" sdwan_profile_id_request="0" sdwan_profile_name_request="" sdwan_profile_id_reply="0" sdwan_profile_name_reply="" gw_id_request="1" gw_name_request="Port3_Inno_GW" gw_id_reply="0" gw_name_reply="" sdwan_route_id_request="0" sdwan_route_name_request="" sdwan_route_id_reply="0" sdwan_route_name_reply="" user="" user_group="" web_policy_id="13" ips_policy_id="2" appfilter_policy_id="8" app_name="Secure Socket Layer Protocol" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="Port1" out_interface="" out_display_interface="" src_mac="F4:6D:04:E3:26:D8" dst_mac="AC:1F:6B:C9:9F:42" src_ip="xxx.xxx.xxx.xxx" src_country="R1" dst_ip="xxx.xxx.xxx.xxx" dst_country="USA" protocol="TCP" src_port="51979" dst_port="443" packets_sent="27" packets_received="62" bytes_sent="3644" bytes_received="82040" src_trans_ip="" src_trans_port="0" dst_trans_ip="xxx.xxx.xxx.xxx" dst_trans_port="3128" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1150351435" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0" log_occurrence="1" flags="0" web_policy="Company Users"

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to midnightSun

    Where is the switch located? Most switches are internal and would have a private IP.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to midnightSun

    Thank you for the update. Is the switch on the same network as the NOC WAN address? You might need to create an alias on the WAN interface. Some switches use 8080 as their access port not 443.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    I can connect to the switch when I bypass SFOS. Stuff is working fine in my NOC. 

    For some reason SFOS is still inspecting this specific https traffic after i believe ive told it not to. 

    If you didn't want the SFOS proxy to inspect a website where would you put the exception?  

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to midnightSun

    Try using the web proxy, not the ssl/tls . The web exceptions are used by web proxy and ssl/tls.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    read above. Tried that. 

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to midnightSun

    I feel you are over thinking the issue. A simple web exception for the destination ip with do it scan https ticked. Next a firewall rule at the top allowing the selected ip address as the destination. The web policy should be set to allow all with tick the use web proxy box that usually works for me.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to midnightSun

    Do you use the TLS DPI Engine as well? 
    It could be the DPI Engine blocking this in the first step. Please show us your TLS/SSL Decryption Profiles. 

    __________________________________________________________________________________________________________________

  • 0 in reply to LuCar Toni

    So I found turning off "Block invalid Certificates" allows the site.

    Anyway to keep this enabled but still bypass the proxy for a website with an invalid cert?  Exceptions and such still seem to be scanned by the proxy.

    Do you use the TLS DPI Engine as well? 

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to rfcat_vk
    rfcat_vk said:
    A simple web exception for the destination ip with do it scan https ticked. Next a firewall rule at the top allowing the selected ip address as the destination

     The Proxy "Exceptions" don't seem to honor exceptions as one would think. The Proxy is still inspecting these sites.

    Sophos writes " With exceptions, you can override protection settings for all web traffic that matches the specified criteria, regardless of any policies or rules in effect."

    See above for the settings that are causing my problem.

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

  • 0 in reply to midnightSun

    Could you not just create a firewall rule higher in the chain for traffic to the NOC to not decrypt and not use web proxy? So a special rule just for this purpose where you do not decrypt the traffic?

    Managing several Sophos firewalls both at work and at some home locations, dedicated to continuously improve IT-security and feeling well helping others with their IT-security challenges.

  • 0 in reply to apijnappels

    I probably could as a work around, but shouldn't proxy exceptions work? Seems to be a bug. 

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

Reply
  • 0 in reply to apijnappels

    I probably could as a work around, but shouldn't proxy exceptions work? Seems to be a bug. 

    echo "           __     __         __         __     __    _______               ";
echo ".--------.|__|.--|  |.-----.|__|.-----.|  |--.|  |_ |     __|.--.--..-----.";
echo "|        ||  ||  _  ||     ||  ||  _  ||     ||   _||__     ||  |  ||     |";
echo "|__|__|__||__||_____||__|__||__||___  ||__|__||____||_______||_____||__|__|";
echo "                                |_____|                                    ";

    ~~~ I miss Port 17. Remember using telnet to get the Quote of the Day? Maybe I'll set one up for all the port scanners.  ~~~ 

Children
No Data
Unfiltered HTML