Even though HTTPS decryption is disabled, the web browser displays a certificate warning message instead of the web content through InterScan Web Security Virtual Appliance (IWSVA) 6.5.
If a HTTPS website is blocked by one of the IWSVA functionalities, such as URL filtering, IWSVA will try to establish a connection with the HTTPS website or client in order to display the security event.
As a result, receiving the server certificate performs the following actions similar to the HTTPS decryption mode against a HTTPS URL:
- HTTPS web site's server certificate verification
- Generating certificate signed by IWSVA for the HTTPS web site's Common Name (FQDN).
The features affected by this logic are the following:
- HTTP > URL Filtering
- HTTP > URL Access Control > Global URL Blocking
- HTTP > Configuration > Access Control Settings > HTTPS Ports
For the certificate warning message redirected to HTTP > Advanced Threat Protection > Policies > Virus/Malware Scan Rule > Scan before delivering, importing the WebUI's certificate to each web browser is needed.
For more information, refer to the KB article: Web browser security warnings appear when using the "Scan before delivering" feature in InterScan Web Security Virtual Appliance (IWSVA) 6.5.
To resolve this issue:
To avoid the web browser's certificate warning message, the Root certificate stored in IWSVA must be imported to the web browser as a Trusted Root Certification Authority.
Refer to the KB article: Certificate warning appears after enabling HTTPS decryption in InterScan Web Security Virtual Appliance (IWSVA).
The Client Certificate Handling action must be changed to "Block" if the user does not want to tunnel the connection and block it instead.