Summary
Cato Networks acts as a man-in-the-middle to serve block pages for HTTPS websites even when TLS Inspection is disabled. This means that when browsing to an HTTPS website that is blocked, users will see certificate warnings if the Cato Certificate is not installed on their computer or browser.
The screenshot below shows the warning that Firefox displays when https://facebook.com is blocked and the Cato Certificate is not installed.
Solution
Install the Cato Certificate on users' computers and/or browsers to prevent certificate warnings. For instructions, please refer to our article How to Install the Cato Certificate.
The screenshot below shows the block page displayed in Firefox for https://facebook.com after installing the Cato Certificate.
More Details
When an HTTP website is blocked by policy, Cato is able generate the block page with a HTTP 403 response following the client's HTTP GET method.
The same method is not possible when an HTTPS website is blocked, however, because all traffic between the client and server is encrypted.
Therefore, in order to serve the block page for HTTPS websites, Cato acts as a man-in-the-middle. Cato is able to detect that an HTTPS website should be blocked prior to the TLS handshake, so it intercepts the Client Hello and completes the TLS handshake with the client. Cato is then able to decrypt the incoming GET request and serve the block page.
3 comments
Is there any advice on this topic for a guest network? Where installing the Cato internal cert is not an option.
Hello Jason!
This article does provide some advice on network segmentation: https://support.catonetworks.com/hc/en-us/articles/360004507617-Network-Segmentation-Best-Practices
If this doesn't provide you with the information you need, I recommend posting your question to our Community: https://support.catonetworks.com/hc/en-us/community/topics/13905302555421-Join-the-conversation
Using the Community will expose any question to a wider audience.
Kind Regards,
Dermot Doran - Cato Networks Community Manager
do I have to install a cat certificate manually for each guest connect to our guest wifi?
Please sign in to leave a comment.