Captive portal and HTTPS requests

Question

hi, 
 I'm running a XG Firewall at home to test it for a bigger project. Now I have an issue with HTTPS requests which really drives me crazy! 
 I set up rules for users and clientless devices and every other connection will be dropped. If a device wants to connect to a website with http the captive portal is displayed and after the login the user gets redirected to the requested website. Works perfectly! 
 BUT if the user requests a httpS website the captive portal is not displayed. An error message comes up telling me that the certificate is invalid. 
 What am I doing wrong? Is there a way to get the captive portal displayed even if the requested website is https? I just want the redirect to be a http request. 
 
 Cheers, Matthias

Ozgur Gursoy · Accepted Answer

I'm writing my own solution. first you buy the cheapest one ssl certificate. domain name-based ones. for example, your local domain name is example.com. Get an SSL certificate for firewall.example.com (it has a price of 10 USD per year). 
 Be sure to edit the firewall.example.com domain name on your dns server. 
 Enter firewall.example.com in the hostname field under Administration -> Admin Settings. 
 Admin console and end-user interaction Check "Use the firewall's configured hostname: firewall.example.com". Certificates -> Add Install the commercial certificate you purchased in (I will not explain in detail here) 
 Let's type "firewall.example.com" in Common Name in Certificate Authorities section in Default. 
 At the bottom of the Authentication section, the Captive portal uses HTTPS must be enabled. 
 
 I hope I didn't forget a point. at least lead the way. You can also use the same certificate for https control in the web filter.

LuCar Toni · Answer

Just to be sure. 
 This last sentence is actually not correct :) 
 I hope I didn't forget a point. at least lead the way. You can also use the same certificate for https control in the web filter. 
 You can read more about this here: https://community.sophos.com/kb/en-us/132997

Ashwani Singh3 · Answer

Hi, 
 if you are using a HTTPS then you need install ''SecurityAppliance_SSL_CA.pem'' certificate to end user client machine and after that u get the capital portal page on HTTPS traffic.

LuCar Toni · Answer

You cannot. 
 That is the reason for my linked KBA. 
 Please refer to this KBA: https://community.sophos.com/kb/en-us/132997 
 It explains in details, why there is no way to interact with such clients. 
 You would actively break HTTPs and if this would be possible to do so, you would break the Internet as a HTTPs concept and we could start to use http again.