topic Re: HTTPS Inspection Action:Error in Firewall and Security Management

HTTPS Inspection Action:Error

IsaacO — Thu, 25 May 2023 23:03:26 GMT

Hello, I would like to know if anyone here has been presented with this error?

Reviewing logs I have this error towards a specific destination, but what seems strange to me that this error appears depends on the Source because with some other sources the error does not appear towards the destination that presents the problem.

As additional information, both the source and destination segments have bypass rules in HTTPS INSPECTION.

Thanks a lot for the help.

............................................................................................................................................................................

Id Generated By Indexer:    false
First:    true
Sequencenum:    205
HTTPS Validation:    The probe detected that this destination cannot be inspected and its identity cannot be verified due to a TLS alert (TLS alert: bad_certificate)
Description:    Bypassing request as configured in engine settings of HTTPS Inspection
Source:    x.x.x.x
Source Port:    60374
Destination:    x.x.x.x
Destination Port:    443
IP Protocol:    TCP (6)
Action:    Bypass
Type:    Log
Policy Name: YYYY
Policy Management:    YYYY
Policy Date:    23 may
Blade:    HTTPS Inspection
Origin:    XXXX
Service:    https (TCP/443)
Product Family:    Network
HTTPS Inspection Action:    Error

Re: HTTPS Inspection Action:Error

_Val_ — Fri, 26 May 2023 05:58:55 GMT

The error states that the GW cannot validate the server certificate. If it only happens to some of the connections to the same server and not all, look if you have any intermittent connectivity failures on that GW. Also, it might be that the destination IP hosts multiple web servers, some of them with bad certificates.

Re: HTTPS Inspection Action:Error

IsaacO — Fri, 26 May 2023 16:01:30 GMT

Thanks for answering _Val_.

Do you think that updating the certificate database can help?

Regards

sk64521

Re: HTTPS Inspection Action:Error

the_rock — Fri, 26 May 2023 17:08:17 GMT

100% that can only help, not make it worse. So, make sure below is enabled as per my screenshots and if you need zip file, happy to send it over. Just a small disclaimer, though couple of people on here used it and was fine, dont "shoot" the messenger if something goes sideways lol

Andy

Re: HTTPS Inspection Action:Error

the_rock — Fri, 26 May 2023 17:41:04 GMT

In case you need latest updated zip file, I attached it. Again, its totally your decision if you wish to use it, but I can guarantee its totally clean and working.

Andy

Re: HTTPS Inspection Action:Error

IsaacO — Fri, 26 May 2023 17:47:48 GMT

Thanks a lot for the help Andy.
I really appreciate it.

Regards

Carlos Isaac!

Re: HTTPS Inspection Action:Error

the_rock — Fri, 26 May 2023 17:51:33 GMT

Any time, happy to help. Let us know if any issues, I have working R81.20 lab with windows 10 and https inspection on, so can test anything needed.

Cheers,

Andy

Re: HTTPS Inspection Action:Error

_Val_ — Fri, 26 May 2023 19:02:07 GMT

It might, but we need to figure out first, what we are dealing with. If it is an intermittent issue for the same server, connectivity is the prime suspect.

Re: HTTPS Inspection Action:Error

the_rock — Fri, 26 May 2023 20:05:10 GMT

@_Val_ makes a good point Isaac. It really depends if its intermittent issue or not. I mean, you can certainly update certificate list, its not going to make it worse, but there is no guarantee it would make it better either.

Andy

Re: HTTPS Inspection Action:Error

IsaacO — Mon, 29 May 2023 23:33:14 GMT

Hi @the_rock @_Val_

Thanks a lot for your support.

The problem that we had specifically was with some servers with Workload Security agents that were not synchronizing with the cloud. One of our team had created a rule in the FW but at the destination it had only one IP that was the one that gave us the HTTPS Inspection error.
Reading the Trend Micro documentation, you have to add some domains (130) the Security, APCL and HTTPS INSPECTION rules were created with said group of Trend Micro domains and Problem solved.

https://cloudone.trendmicro.com/docs/workload-security/communication-ports-urls-ip/#Deep3

By the way, although the problem is solved I have to update the certificate database so I will follow your recommendation @the_rock

Regards!!

Re: HTTPS Inspection Action:Error

the_rock — Mon, 29 May 2023 23:42:49 GMT

Sounds good...keep us posted.

Andy

Re: HTTPS Inspection Action:Error

the_rock — Tue, 30 May 2023 00:04:40 GMT

Hey mate,

I wanted to tell you something else, just my own experience, as well as one customer I worked with for https inspection. So, when I tested this in the lab (R80.40, R81.10 and R81.20), I would simply install https inspection cert generated (follow on screen prompt) and it would work without any issues. Customer first tested it on one machine and had problem, so he reinstalled the cert and placed it in trusted root and worked fine. Then they tried few machines and some worked okay, some did not, following exact same process.

They had Trend Micro before going with CP, told me they never had this sort of problem, but turns out after they upgraded their environment to R81.10, all just worked fine. So, I would say if you have cert in trusted root, thats 100% correct.

Cheers,

Andy

Re: HTTPS Inspection Action:Error

IsaacO — Tue, 30 May 2023 00:43:34 GMT

It is an interesting fact, to comment that the environment we have is R80.40 and we plan to update it to R81.10.
So I hope that by updating the Certificates and upgrading to R81.10 there will be no more problems in the future.

Regards
Isaac.

Re: HTTPS Inspection Action:Error

the_rock — Tue, 30 May 2023 00:45:47 GMT

Im sure it would be better.

Andy