Block Notification Page Should Be Secure
When a user should be seeing the block notification when they hit a web protection rule, instead they get a security warning from the browser. According to support "As XG is only rewriting the content of the webpage on the blocking and not rewriting the URL itself that is why you are seeing certificate error on the block page." This happens even though we have a valid public certificate set up on the XG.
So if a user is trained correctly, they will not bypass the security warning and will never see the descriptive block notification. This should be corrected.
A browser will only accept an HTTPS connection if it believes it has come from the server it was trying to connect to. It is necessary to create a certificate that looks like it comes from the server, just like we do for HTTPS decryption. This will only be trusted if the client device trusts the certificate authority that is installed on the device for HTTS decryption. In version 17.5 we introduced an option where we will just drop the connection instead of trying to connect and return a block page. This avoids the security warnings, but the user just sees a dropped connection.