Options

DNSWatch certificate when using HTTPS inspection

Scott5297Scott5297
edited August 2020 in DNSWatch - General

Greeting to all,

I am just in the process of setting up a new T40 firebox with Fireware 12.6.1 update 1 firmware.

I am testing HTTPS inspection and it seems to work well.

I have imported the web server certificate and the proxy authority certificate to the test machine. HTTPS websites work well and functions such as blocking an HTTPS website as a test succeed.

One cosmetic issue is that I get a certificate error when a https website is blocked by DNSWatch.

The certificate states "windows does not have enough information to verify this certificate" and "The issuer of this certificate could not be found."

Bypassing the certificate error correctly takes me to the DNSWatch blocking page.

I wonder if someone would please point me in the right direction to resolving this? [edit: Is it impossible to avoid the certificate error because the DNSWatch certificate doesn't belong to the website?]

Many thanks

Scott

Answers

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Scott

    The DNSwatch certificate will always cause that error. Since you're being redirected to a "blackhole" server, the server has no way of knowing what domain/url you requested. Even if you trust the certificate, there will still be a domain name mismatch, and the browser will display the cert as untrusted.

    -James Carson
    WatchGuard Customer Support

  • Options
    Scott5297Scott5297

    Hi James,

    Many thanks for your reply.

    Here's a question - how would the end user know they had visited a blocked website?

    The browser would advise them not to proceed.

    Scott

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Scott5297

    In this case, they have a few options.
    -If you have notification turned on, emails can be sent to an admin or similar for your network.
    -If you're using the firewall itself (which uses the same WebBlocker categories) you can have a deny page via that proxy that the user will be able to see.

    Work is being done to better integrate the block pages and profiles in WatchGuard cloud, so at some point in the future they should be easier to manage (as one.)

    -James Carson
    WatchGuard Customer Support

  • Options
    Romain_METAYERRomain_METAYER

    Hello @James_Carson,
    Any new on this feature for block pages ?
    Unfortunately, we do not have block page with online training as SSL decryption is enable.

  • Options
    james.carsonjames.carson Moderator, WatchGuard Representative

    Hi @Romain_METAYER
    The block page displaying will depend on what's actually enacting the block. I'd suggest opening a support case so that the support team can help identify which one you're encountering.

    The several feature requests that are mentioned are being looked into -- if you'd like updates on any specific ones, please create a support case and mention what the feature you'd like to track is. The tech that takes your case can set the case up to do that for you. We don't provide status updates on feature requests in the forums as it'd be too time consuming to track down every thread here. It's automated and linked to the actual feature request in the support ticket system.

    -James Carson
    WatchGuard Customer Support

Sign In to comment.