Accessing An Untrusted Website Is Blocked Even Though TLS Inspection Is Disabled


Accessing a website with an untrusted CA or self-signed certificate is blocked by Cato even though TLS inspection is disabled


  • TLS inspection disabled
  • Firewall rule with prompt or block action


  • The blockage should generate a TLS sub-type event which may mislead users into thinking that TLS inspection is blocking the traffic even though it's disabled.
  • Rightfully by design, when TLS inspection is not enabled, HTTPS requests will not be inspected even when the website in question is using an untrusted certificate, no actions will be performed.
  • However, when the traffic matches a Firewall rule that has Prompt or Block as the Action, this will invoke or trigger TLSi, even though the latter wasn’t enabled. This is because to inject the prompt/block page into the payload, TLSi needs to occur. If it detects the untrusted or self-signed certificate, our algorithm is to block this page even though TLSi wasn't enabled in the first place, because this is a potential security risk.
  • The above behavior will be reflected in the event with the TLS inspection = 1
  • If the Cato certificate is installed on the client's PC, the user gets the prompt page but after that, they will get an 'Invalid SSL/TLS certificate' error which proves the previous point.


Change the firewall rule action from prompt/block to allow or create a new rule that contains the target site as App/Category and set the action to allow. You can define the site's IP address or Domain in a Custom Application.


Was this article helpful?

0 out of 0 found this helpful


Add your comment