Even though HTTPS decryption is disabled, the web browser displays a certificate warning message instead of the web content through InterScan Web Security Virtual Appliance (IWSVA) 6.5.
If a HTTPS website is blocked by one of the IWSVA functionalities, such as URL filtering, IWSVA will try to establish a connection with the HTTPS website or client in order to display the security event.
As a result, receiving the server certificate performs the following actions similar to the HTTPS decryption mode against a HTTPS URL:
- HTTPS web site's server certificate verification
- Generating certificate signed by IWSVA for the HTTPS web site's Common Name (FQDN).
The features affected by this logic are the following:
- HTTP > URL Filtering
- HTTP > URL Access Control > Global URL Blocking
- HTTP > Configuration > Access Control Settings > HTTPS Ports
For the certificate warning message redirected to HTTP > Advanced Threat Protection > Policies > Virus/Malware Scan Rule > Scan before delivering, importing the WebUI's certificate to each web browser is needed.
For more information, refer to the KB article: Web browser security warnings appear when using the "Scan before delivering" feature in InterScan Web Security Virtual Appliance (IWSVA) 6.5.
To resolve this issue:
To avoid the web browser's certificate warning message, the Root certificate stored in IWSVA must be imported to the web browser as a Trusted Root Certification Authority.
The Client Certificate Handling action must be changed to "Block" if the user does not want to tunnel the connection and block it instead.