03-25-2020 03:45 PM
I have my PA-200 on virtual wire mode with Captive Portal using SSL Decrypt for all users with Self Signed Certificate.
When the users try to navigate on crhrome browser to internet they receive NET::ERR_CERT_COMMON_NAME_INVALID that doesn't permit to bypass for go to untrust site. When i manually enter a site that support http or another certificate method, is possible to navigate to the the unsafe site and Captive Portal works very well (Also I have Decryption profile and it also works)
I read that it is common issue on Google, So I manually put a Subject Alternate name on attributes (host, ip, alt-email) to the Certificate, after export to the PC user like a root trust certificate but it doesn't works
On my case, all trust users takes DHCP IPs of the Router above the FW so default gateway is the router IP (virtual wire doesn't provide a FW IP) . I manually generate a certificate with the router IP but still doesn't works 😞
Any Idea or suggestion?
04-02-2020 08:06 AM
So, to confirm, you are able to get SSL Decryption working on your firewall with some sites?
The only way the SSL Decryption can work properly if the Firewall is the CA, and it generates SSL certificates on the fly for the client machine, in a "man in the middle" function. That CA (Certificate Authority) then is trusted by the client machine, allowing the traffic coming from the Firewall to be trusted, and the Firewall acts as the client to the Public site.
But this gets really muddy, really fast when the firewall is in VirtualWire mode with no IP.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
