Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Note: Make sure your Sophos Firewall time is correct to avoid potential Certificate Trust issues
Table of Contents
Overview
This Recommended Read describes the Feature "Forward Certificate Invalidity".
Forward Certificate Invalidity
Sophos Firewall web proxy and DPI modes perform certificate validation when decrypting HTTPS. DPI mode with Maximum Compatibility disables all certificate checks, which means a user could access an insecure site but think it’s secure.
Sophos Firewall 19.0 introduced a new feature called FCI (Forward Certificate Invalidity) which changes the behavior of Maximum Compatibility when visiting insecure sites. The HTTPS decryption will be done with a special "Sophos SSL Untrusted CA" that will deliberately cause browsers to display a warning.
The most common reason for an FCI warning is missing Intermediate certificates.
Related Info
Read this KB about blocking missing intermediate certificates, FCI warnings, and how to install the certificates to resolve the error.
support.sophos.com/.../KB-000044776
Created Table of Contents
[edited by: emmosophos at 11:31 PM (GMT -8) on 23 Nov 2023]