Certificate used for Inspection

kcarpenterkcarpenter
in Firebox - Certificates

I exported our company wildcard certificate including all the certificates in the certification path and imported into the Watchguard Firewall. Everything seems to have worked fine. When I enable inspection on a https proxy policy I get errors on websites in regards to certificates. I looked at the certificate and expected to see the same cert from godaddy but instead it now says that its issued to ssl383459.cloudflaressl.com with secondary dns names of the site I was trying to go to. And now the issued by states that is from *.ourdomain.com. Sites like google refuse to even come up. Is this normal? I want to be able to use cert for inspection but not have to install it on all devices.

Comments

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi KevCar,

    The Firewall will use the Proxy Authority certificate for outbound HTTPS inspection. You'll need to export that certificate and import it onto your machines in order to get around those warnings.

    You can read more about how inspection works, and the difference between how the firewall handles inbound and outbound HTTPS policies here:
    (Use Certificates with HTTPS Proxy Content Inspection)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/cert_https_proxy_resign_c.html

    You can read more about how to install the certificate on your client devices here:
    (Import a Certificate on a Client Device)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/import_client_cert.html

    Since the proxy authority certificate must be able to re-sign traffic, it will end up having to be from your own CA (meaning it will be self-signed.) You can use the included one, or provide one from a CA you own. No 3rd party CA (like GoDaddy, DigiCert, etc) will provide a certificate that can re-sign traffic.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • kcarpenterkcarpenter

    So I am guessing that people might configure custom rules for devices like phones and tablets to be separate from the domain computers then. I don't think people would enjoy having to install this cert on every device that accesses the internet.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi KevCar,

    People will often do that. You can make rules to come from specific interface aliases (like, for instance, Guest WiFi) or from specific AD groups if you have SSO (Single Sign-On) enabled.

    Most of the time in this type of instance, the admin will push the certificate out via Group Policy or another tool that they use to manage PCs.

    We do have the Certificate Portal to help with situations where you must inspect devices you can't pre-install the cert on. That'll most often be places like schools or colleges with BYOD devices.
    (Certificate Portal)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/certificate_portal_c.html

    If you need any assistance getting rules set up to do that, or to get the certificate(s) in the right places, I'd suggest opening a support case with us, and one of our technicians can take a look at it with you.
    https://www.watchguard.com/wgrd-support/contact-support

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • kcarpenterkcarpenter

    I went ahead and removed our wildcard certificate as I don't see a need to have it on there. But now when enabling the inspect it does not appear to use the Watchguard default certificate. Can you choose a certificate? I don't see a way to do that.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi KevCar,
    It just uses whatever the current loaded certificate is for Proxy Authority, if it has one.

    You can find that in the WebUI under System -> Certificates, or in Firebox System Manager under View -> Certificates. Just look under the type column.

    If you're seeing a different certificate, it's likely that content inspection isn't turned on, or the traffic is making it out a different policy.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • kcarpenterkcarpenter

    Its turned on. I have a policy just for me. When I enable it I get this in the traffic monitor.
    "unable to get resigning cert"
    I know this policy works because its the same one I was using to test with when I had my certificate loaded.

  • kcarpenterkcarpenter

    I just read an article that indicates that I have to restart the Firebox

  • kcarpenterkcarpenter

    From a watchguard article:
    Do not remove a certificate from your Firebox unless you plan to replace it. If you remove a certificate and do not replace it, the Firebox automatically replaces the missing certificate with a default certificate if the device restarts.

    Might update the Firewall and reboot to see if it fixes the issue.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi KevCar,

    Thanks for the reply.

    It sounds like the cert might have been deleted. If it did, rebooting the firewall should make the firewall generate a new one.

    It's possible that the cert got overwritten too, but looking at details might expose some of the information for your wildcard cert that was loaded.

    For the sake of maintaining the integrity of that cert, would it be possible for you to open a case so one of our techs can take a look at it with you in a more secure environment?

    You can open a case online at https://www.watchguard.com/wgrd-support/contact-support or by calling 1.877.232.3531

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • kcarpenterkcarpenter

    I don't think thats necessary. Article clearly indicates that if you remove a certificate that was imported for inspection and you remove it, the Firebox will replace it with the default upon restart. I have not removed any Watchguard Certificates.

  • kcarpenterkcarpenter

    Rebooting the Firebox did fix the issue. Its now using the default certificate. Downloaded the cert from the portal and imported it into the Trusted Root Certification Authorities and now its inspecting without errors. Thanks for your help.

  • kcarpenterkcarpenter

    Well it didn't take long to run into another problem. Went to a news site and got this error.
    www.***.com is most likely a safe site, but a secure connection could not be established. This issue is caused by Fireware HTTPS Proxy (SN 91650503B5BCE 2019-05-21 22:24:15 MDT) CA
    www.google.com also causes this issue. But only in Firefox, not edge or Chrome. What a pain.

  • james.carsonjames.carson Moderator, WatchGuard Representative

    Hi KevCar,

    Firefox has it's own certificate store seperate from Windows, which might be causing that problem.

    In the article here:
    (Import a Certificate on a Client Device)
    https://www.watchguard.com/help/docs/help-center/en-US/Content/en-US/Fireware/certificates/import_client_cert.html
    There's instructions specific to Firefox to get the certificate into it.

    Unfortunately, there's not really enough information in the error you're seeing to make heads or tales out of what might be causing it specifically. I'd suggest opening a support case so that one of our technicians can take a look at it with you.

    Thank you,

    -James Carson
    WatchGuard Customer Support

  • kcarpenterkcarpenter

    Thanks for the link. Although a pain it does give instructions on how to fix Firefox through group policy.

Sign In to comment.