in the Forward Proxy Decryption
profile or in the No Decryption profile,
then if a server presents an expired certificate, the firewall blocks
the session. However, if site that you need to access for business
reasons allows its certificate to expire, connections to that site
may be blocked and you may not know why.
You can use the
Decryption log to check for expired certificates and to check for
certificates that will expire soon so you can be aware of the situation
and take appropriate action.
Filter the Decryption log for expired certificates
using the query
(error eq ‘Expired server certificate’)
identifies servers that generate
Expired server certificate
The firewall blocks access to these servers because of the expired
) Double-check the certificate expiration
date at the Qualys SSL Labs site.
Enter the hostname of the server (
column of the Decryption log) in the
it to view certificate information
for the host.
Filter the Decryption log (
for certificates that will expire soon using a query that identifies
upcoming certificate end dates.
For example, if today’s date is February 1, 2020 and you
want to give yourself two months to evaluate and prepare in case
sites don’t update their certificates, query the Decryption log
for certificates that expire April 1 2020 or earlier (
notafter leq ‘2020/4/01’)
column shows the eact date on which the certificate
Determine the action to take for sites with expired certificates.
If you don’t need to access the site for business purposes,
the safest action is to continue to block access to the site.
If you need to access the site for business purposes, take
one of the following actions:
Contact the administrator
of the site with the expired certificate and notify them that they
need to update or renew their certificate.
Create a Decryption policy that applies only to the sites
with expired certificates that you need for business purposes and
a Decryption profile that allows sites with expired certificates.
Do not apply the policy to any sites that you don’t need for business
purposes. When a site updates its certificate, remove it from the policy.