DPI error 19006: googleapis.com - Failure to pass SafetyNet validation.

Validation passed when using web proxy instead of DPI engine.

But. DPI engine is not sure if directly related. I would like to know if someone else will reproduce it.

Hi FoW,

Can you check the SSL/TLS Inspection logs to see if there's anything being dropped by it?

I didn't managed to reproduce it, (Using the DPI Engine.)

Thanks!

Video record is here

and. The SSL / TLS inspection log shows no sign.

Video time is 23:18. The last log timestamp is 23:17.

When using proxy mode, you can see the checkbox for HTTPS decryption is unchecked.
When using DPI mode, the HTTPS inspection is controlled by the rules in the SSL/TLS inspection rules tab.
I don't know what safetynet uses, but can you temporarily disable all scanning rules (or put in a high level Do Not Decrypt rule in) and try again.
I just want to make sure you are doing an apples-to-apples comparison.

I am surprised that in all of that, the TLS log for that IP only shows one thing and for an unrelated domain.
That's why I am asking to test with making sure all traffic is Do Not Decrypt.

Okay. I will try again.

Thanks.

SSL/TLS Inspection rules and error log is here.

I could not find the log file path in the CLI. Let me know and I'll check.

Thanks for the access.  Moving to PM and asking to reproduce with additional logging on.

How to turn on additional(large size) logging.

(Edited by Michael Dunn to remove steps.  Turning on additional logging fills up the harddrive and slows down the system, and we don't want inexperienced people pouring over detailed log files.)

Anyone can download the log below.

https://ds.netspheres.org:5001/d/f/536397891256760693

And exclusion feature does not work in this error.

I am under the impression that Error 19006 is a known bug within the TLS engine.

I have posted in another thread about this error and not seen any results.

Ian

Michael Dunn I have the same issue, but I just noticed it after reviewing this post. I sent you a PM earlier on something else. Let me know in that message if you want logs from me too on this, if it will help.

FoW thanks for your find.

Public Service Announcement, I would advise that no one turn on logging via those steps, unless your are working with a Sophos engineer. You could cause issues if you do not turn off logging. That is why you do not see those instructions posted in any forum. Sophos engineers only PM those steps and there is a reason.

Mike