Accessing An Untrusted Website Is Blocked Even Though TLS Inspection Is Disabled

Issue

Accessing a website with an untrusted CA or self-signed certificate is blocked by Cato even though TLS inspection is disabled

Environment

  • TLS inspection disabled
  • Firewall rule with prompt action

Troubleshooting

  • The blockage should generate a TLS sub-type event which may mislead users into thinking that TLS inspection is blocking the traffic even though it's disabled.
  • Rightfully by design, when TLS inspection is not enabled, HTTPS requests will not be inspected even when the website in question is using an untrusted certificate, no actions will be performed.
  • However, when the traffic matches a Firewall rule which has Prompt as the Action, this will invoke or trigger TLSi, even though the latter wasn’t enabled. This is because in order to inject the prompt page into the payload, TLSi needs to occur. If it detects the untrusted or self-signed certificate, our algorithm is to block this page even though TLSi wasn't enabled in the first place, because this is a potential security risk.
  • If the Cato certificate is installed on the client's PC, the user gets the prompt page but after that, they will get an 'Invalid SSL/TLS certificate' error which proves the previous point.

Solution

Change the firewall rule action from prompt to allow or create a new rule that contains the target site as App/Category and set the action to allow. You can define the site's IP address or Domain in a Custom Application.

 

Was this article helpful?

0 comments

Add your comment