Issue
Cisco Umbrella provides endpoint security by redirecting DNS requests to its global network of servers.
If Cato's TLS inspection is enabled in the account and the 'Untrusted Server Certificates' option is set to Block or Warning, websites that require redirection by Cisco Umbrella (due to a Cisco security action) will receive a Cato Block/Warning page.
Environment
- TLS inspection is enabled
- The 'Untrusted Server Certificates' option is set to Block or Warning.
Troubleshooting
- Find the related TLS events for the blocked website. The TLS Certificate Error field will show 'Unable to get local issuer certificate'.
- If the destination IP shown in the event is within IP ranges 146.112.0.0/16, 155.190.0.0/16, and 151.186.0.0/16, that indicates that DNS redirection by Cisco Umbrella has taken place.
- The redirection will trigger a Cato TLS error led by a Cato blocking/warning page because the website's certificate issuer (Cisco Umbrella Root CA) is not trusted by Cato. The certificate chain below is presented to the end-user when bypassing Cato.
Solution
Cisco Umbrella's IP ranges must be bypassed from Cato TLS inspection. When doing so, Cato will not block the Umbrella redirection due to a failed certificate check.
As per Cisco's website, the IP ranges used by the Umbrella service are 146.112.0.0/16, 155.190.0.0/16, and 151.186.0.0/16.
For information on how to bypass TLS inspection, see Using Rules that Bypass TLS Traffic.
0 comments
Please sign in to leave a comment.