Certificate Authority list in Skyhigh Web Gateway is outdated
Last Modified: 2023-12-12 13:22:31 Etc/GMT
Affected Products
Languages:
This article is available in the following languages:
Trellix CEO, Bryan Palma, explains the critical need for security that’s always learning.
As per Gartner, "XDR is an emerging technology that can offer improved threat prevention, detection and response."
Trellix announced the establishment of the Trellix Advanced Research Center to advance global threat intelligence.
Trellix Advanced Research Center analyzes threat data on ransomware, nation-states, sectors, vectors, LotL, MITRE ATT&CK techniques, and emails.
As of May 14, 2024, Knowledge Base (KB) articles will only be published and updated in our new Trellix Thrive Knowledge space.
Log in to the Thrive Portal using your OKTA credentials and start searching the new space. Legacy KB IDs are indexed and you will be able to find them easily just by typing the legacy KB ID.
Certificate Authority list in Skyhigh Web Gateway is outdated
Technical Articles ID:
KB75282
Last Modified: 2023-12-12 13:22:31 Etc/GMT EnvironmentSkyhigh Web Gateway (SWG)
SummarySWG contains a list of certificate authorities, which is part of the SSL Scanner feature. The list of certificate authorities is used to identify "known" certificate authorities as trusted or untrusted. These certificate authorities are trusted or explicitly untrusted to control which server certificates are valid. This list is similar to the lists of certificate authorities that are part of a web browser. But, the list needs to be centrally managed on the SWG installation.
You might find that the list you're currently using is outdated. Or, you might find that it doesn't contain all certificate authorities that are commonly used on the internet. Both could also be true. ProblemAn outdated or incomplete list of certificate authorities causes SWG to block legitimate websites. In this case, SWG indicates that the certificate authority isn't trusted or known.
CauseThe certificate authority list on your SWG installation doesn't automatically update itself by default.
SolutionThere are several options to solve this problem.
IMPORTANT: The list of certificate authorities is vital for the SSL Scanner feature. It controls whether a certificate authority is trusted or not. Because the SSL Scanner feature causes the browser internal certificate authority lists to no longer be recognized, the list on SWG must be recent. We also recommend that an administrator validate the list entries. Then, you can make sure that the listed certificate authorities are ones that your company trusts. The Trellix Online Rule Set Library contains rule sets that help to update the list. You can decide whether you want to manually update the list from time to time, automatically update the list, or maintain the list on your own. Manually Update or Maintain the List Follow the documentation attached to the Updated Certificate Authorities rule set to learn how to manually update your list to the latest version. After you finish updating the list, you can maintain the list manually. If you want to perform another update to a newer version later, follow the instructions again. Automatically Update the List If you don't want to manage the list of certificate authorities, you can accept our recommended defaults. To create a subscribed list where the content is supplied by us, see KB83780 - How to create a McAfee maintained known Certificate Authority list. Affected ProductsLanguages:This article is available in the following languages: |
|