- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
-
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
-
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
-
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
-
- Support Widget
How To block users from accessing HTTPS websites with expired certificate or Untrusted CA cert
03/26/2020 
18 People found this article helpful
100,532 Views
Description
SSL Control provides visibility into the handshake of Secure Socket Layer (SSL) sessions, and a method for configuring policies to control the establishment of SSL sessions. One of the main features of SSL control is to provide a way to specify which HTTPS certificates to block.
This article describes how to Detect connections to HTTPS websites which have either expired certificates or their CA are untrsuted using SSL Control from the LAN zone.
Resolution
Step 1: Login to the Sonicwall Management interface
Step 2: Navigate to the Network | Zones page and click on edit on the LAN zone
Step 3: Check the SSL Control check-box to enable it in the LAN Zone. This will affect all LAN users since SSL Control is enabled for LAN zone
Step 4. Navigate to the Firewall Settings| SSL Control page
Step 5. Check the Enable SSL Control check-box.
Step 6. Check the Detect Expired certificates check-box
Step 7. Click the Detect Self-signed certificate check-box
Step 8. Click the Detect Certificate signed by an untrusted CA
Although only Certificate signed by an untrusted CA and Self Signed Certificate examples are presented SSLV2 and other option can also be used.
Make sure "Block the connection and log the event" is selected
NOTE: Specific Websites which the users know are good can be added under exclusion
Step 9. Click on Accept to save
How to Test:
Step 1. Logout of the Sonicwall Management interface.
Step 2. Open an internet browser.
Try to access any SSL website which has either certificate signed by and Untrusted CA or has a Self signed certificate.
Under the Sonicwall | Log the following message will be shown
For Untrusted CA
Related Articles
- Analyzing TCP reset(RST)packets
- ‘Error sending one-time password’ encountered when connecting to NetExtender
- Supported SonicWall and 3rd party SFP and SFP+ modules that can be used with SonicWall NSsp series
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO