Browser TLS 1.3 activated and your Firewall can’t handle it?

by butsch 2. September 2020 17:57

TLS 1.3

Some modern Browser switch to TLS 1.3 automatic if the Web server on the other side supports this. Like Version 72 of Chrome.exe or even your OS is like Windows 10 Buildnummer 20170 upwards (That means the OS itself). So it's all safer and faster?

The problem is that some Next Generation Web Filter (Firewall) can't look into the SSL-encryption anymore and find malware/Ransomware. With Browser self updating mechanism like in Chrome or Edge Chromium you suddenly have a constellation that you did not want. While you approved IE11/EDGE Updates in WSUS and mostly checked each new Release of the Browser before releasing it this has changed.

The interesting point is that also some Load Balancer are only able to break (Deep Inspect) traffic with really new Firmware releases. Customers demanded that feature since 2017 we see in diverse blogs and feature request portals of producers. So if you want to sniff into SSL (Break SSL Stream) and you're Firewall can't handle TLS 1.3 special you currently have a problem.

Check if your browser has TLS 1.3 active is easy


chrome://flags/#tls13-variant (Since Version 72 TLS 1.3 default)



As example Type edge://flags/ in the Browser URL window.

Or jump direct to the TLS 1.3 setting with edge://flags/#enable-tls13-early-data

Open following URL / Test Website to see what's supported:



Read more:





Hotfixes / Updates | W10 | SECURITY | FW Fortigate | FW Sophos

Missing entry in Fortigate Application Filter ROOT.CERTIFICATE.URL and OCSP source of W10 Setup failing

by butsch 31. October 2018 21:35

Fortigate Application Filter Certificate wrong/missing Entry sample for an important laptop driver (W10 Deployment fails because of signed Driver Revocation Lookup)

OR HOW a missing small ENTRY I a FORTIGATE FIREWALL IPS/APP filter can ruin your Windows 10 OS-Deployment work.


Reason: Missing entry in Fortigate Application Filter "ROOT.CERTIFICATE.URL" and "OCSP" source of failing deployment


Windows 10 Deployment with commercial Deployment Products (This includes HP client hardware, Microsoft SCCM, Landesk or Ivanti Frontrange).

During the Unattend phase the driver for MASS storage or NIC does a Certificate Revocation Lookup. However the as sample mentioned

URL (Hardware Driver URL, CRL FQDN) is missing in Fortiguard definitions. Thus the Fortigate does block the access to WAN. Since this is an early setup phase of W10, group Policy or special GPO do not pull at that moment.


Fortigate has already missed several PKI URL the last few months confirmed by ticket resulting in large trouble and delay on client and Server OS of customers who route their Client or Server traffic through Web proxy and because of security do not want to route computer account proxy traffic standard to the proxy.


Why this is so important. Why this is generating a lot of work and trouble for OS-Deployment teams.


The normal way in larger companies is that all outgoing traffic from client VLAN goes to Firewall which it blocks. All Web/Application/Socks traffic that should go outside goes to a Proxy, Web filter.

Because in early phase of Deployment those options are not set already and normally not needed. However if the driver is older than the Expiration of the Code Signing Certificate W7/W10 will check

The Certificate Revocation list from WAN/Internet. If that fails it may refuse to integrate the driver in Windows PE or early Windows Setup phase. If example this is a driver which

handels NIC (network) or mass Storage driver (Disk) they deployment can't run through this early process.





URL we need open in our sample: which prevents a complete Enterprise Deployment system to fail




Sample from Fortigate for other Certs they missed:


F-SBID( --name "Root.Certificate.URL_Custom"; --protocol tcp; --app_cat 17; --service HTTP; --flow from_client; --pcre "/(crl\.microsoft\.com|\.omniroot\.com|\.verisign\.com|\.symcb\.com|\.symcd\.com|\.verisign\.ne t|\.geotrust\.com|\.entrust\.net|\.public- trust\.com|\.globalsign\.|\.digicert\.com|crl\.startcom\.|crl\.cnnic\.cn|crl\.identrust\.com|crl\.thaw te\.com|crlsl\.wosign\.com|www\.d\-trust\.net)/"; --context host; --weight 15; )


In our case:


F-SBID( --name ""; --protocol tcp; --app_cat 17; --service HTTP; -- flow from_client; --pcre "/(pki\.infineon\.com)/"; --context host; --weight 15; )

Please also see: | The certificate is invalid for exchange server usage Exchange 2010 SAN/UC

So you understand that this is a problem which persists over all firewall producers:

Symantec: About the Install Readiness Check for Certificate Revocation List access

TEND MICRO: After upgrading OfficeScan, users complained that the server started to rename all files in the OfficeClient Directory to "_invalid".
Below is a sample list of files in the D:\app\Trend Micro\OfficeScan\PCCSRV\Admin directory:


If there is no Internet connection, then CRL fetch and intermediate CA fetch will fail (this will be logged). The inspection will take place; however, URL-based or Category-based bypassing will not work.

Note: The CRL verifications are performed in the background asynchronously while matching the security policy (this mimics the behavior of the major web browsers).

Untrusted certificates and lack of CRLs can be configured as reasons to drop the connection






Deployment | Microsoft SCCM/MEM/MDT | Scripting | Ivanti Frontrange Enteo | W10 | M365/AZURE | SECURITY | FW Fortigate | FW Sophos | Mcafee ENS, EPO, DLP, TIE, ATD, VSE, MSME

SOPHOS UTM 9.4 VMware on ESXi does not start after crash of ESX or Storage

by butsch 11. June 2018 00:08

SOPHOS UTM 9.4 VMware on ESXi does not start after crash of ESX or Storage

File system inconsistency - cannot run fsck

  • The console hangs at Press F2 with white Screen you can't logon or ping the machine
  • You can't connect with SSH
  • You can't acces the machine on port 4444
  • You DID not move the machine (COPY) NORE did you change something with NIC or MAC
  • You prob. had a crash on the ESXi, the storage or Disk system itself
  • You assume that Linux file system are robust and think they can't crash (Look like not…)

If you try the Rescue boot Option you should LOGON ONLY with root. However you are Windows User and always logon with admin and password through web console on port 4444. I am absolute sure there is Documentation on this and if you have Setup and read the Manual like Sophos wants you > Then you have that password.

Here is how to repair the File System with absolute almost no TUX knowledge and without having the root password! (Kind of strange but well you need physical access or console Access) so…



Reboot the UTM machine in ESXi-console


Press ESC

Type "e" on keyboard once (Nothing else)

Choose the options which looks like this (similar)

If you are in the ESXi-CONSOLE end following to the command which is displayed now (At the end of existing command). Just behind the *******silent


If you search CHARS on non us-keyboard:

On GERMAN OR SWISS GERMAN the = is right under the F10 keyboard on NON US-keyboard layouts! The "/" on the 10 numeric block.



PRESS "b" to load the modified boot Setting

When the System stops it will stay at CLI now

Run cli command

"Fsck /dev/sda6"

or whever you corrupt file system is (It will show you in the errors as sample below)

On every question he will ask answer "y"

Comment Windows Senior System Engineer > Nobody understands what it says. Not even the guy who coded it we guess….

Reboot the System with CTRL-ALT-DEL from ESXi (Send command)

Here is how to reset Sophos passwords. We ONLY used step 1-10 for the repair of File System.







SOPHOS: Unable to SSH after Update to 9.4 latest Release 9.404-5

by butsch 20. July 2016 03:35

You did all right as mentioned under but are unable to logon:

Error: Network error:Software caused connection abort

Solution: download latest Version from Putty and it will work again





Sophos UTM 9.314-13 Data Disk is filling up

by butsch 8. October 2015 19:20

We use the Sophos appliance under Vmware ESXi Transparent behind our commercial Firewalls (Just some Wireshark replacment ;-)

The box looks real good and is easy to use. The Interface and GUI are just perfect. I like the Realtime options.

Like most of the times when you search for a solution for a linux Problem there seem to be 40 different

Solutions and Rekommandation. Worst case you update Perl, the Kernels and Download 2'000 files. Nobody knows what it does exept the guy who wrote it but thats the same under Windows sometimes.



Here is how to check the space and enable SSH which is more complicated because you have to enable SSH with a key.


After your cleaned up with this method:


Alert E-Mail you get

Data Disk is filling up - please check. Current usage: 98%


System Uptime : 11 days 20 hours 21 minutes

System Load : 0.06

System Version : Sophos UTM 9.314-13


Please refer to the manual for detailed instructions.


First to do that you have to enable SSH and you have to generate a KEY so you can logon with root

They Made that very nice on the Sophos compared to other appliances ;-)

* Enable SSH

* make a private / Public key with PUTTYGEN.exe

* make the key (Save Public and private)

Mark they Public Key fully and paste it into the SOPHOS appliance (Next Screen)



Then give PUTTY.EXE that key to work with:


Now you are able to Logon with root to the Sophos and search for Big files.

cd /var/storage
du -sh *

There was 1.2 Gigabyte of files under: /var/storage/pgsql92/data after 2 weeks.

Got to the Directory:

cd /var/storage/pgsql92/data/pg_xlog

List with:


Now mark and pick the highest number you see there. You want to truncate until that.

Command for above screenshot

pg_archivecleanup /var/storage/pgsql92/data/pg_xlog 000000010000000300000092


Check in GUI



Werbung von Drittfirmen (Nicht Butsch Informatik):

Werbung von Drittfirmen via Google Adsense: