Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
Note: Make sure your Sophos Firewall time is correct to avoid potential Certificate Trust issues
Table of Contents
Overview
This Recommended Read describes the Feature "Forward Certificate Invalidity".
Forward Certificate Invalidity
Sophos Firewall web proxy and DPI modes perform certificate validation when decrypting HTTPS. DPI mode with Maximum Compatibility disables all certificate checks, which means a user could access an insecure site but think it’s secure.
Sophos Firewall introduces a new feature called FCI (Forward Certificate Invalidity), which changes the behavior of Maximum Compatibility when visiting insecure sites. HTTPS decryption will be done with a special "Sophos SSL Untrusted CA" that deliberately causes browsers to show a warning.
The most common reason for an FCI warning is missing Intermediate certificates.
Related Info
- Sophos Firewall: Accessing websites that are blocked or signed by FCI due to missing intermediate CA
Revamped
[edited by: Erick Jan at 3:39 AM (GMT -8) on 24 Dec 2024]