Troubleshooting
Problem
After the IBM QRadar Network Security (XGS) appliances were upgraded, some websites either become inaccessible or require lengthy connection time.
Cause
After a firmware update, the Certificate Authority (CA) trusted list is also updated, and some expired or insecure CAs are removed.
If a website is signed by the CA that has been removed from the trusted list, it would become inaccessible or require longer loading time during SSL Inspection on the client.
If a website is signed by the CA that has been removed from the trusted list, it would become inaccessible or require longer loading time during SSL Inspection on the client.
Diagnosing The Problem
In the System Events, an error event indicates "unable to get local issuer certificate" or "self signed certificate in certificate chain."
When the option "Block connection if server certificate is invalid" is enabled in Outbound SSL Inspection Settings, XGS will validate the CA certificate provide by the server.
If the CA issued by the web site is not listed in Trusted Certificate Authorities for outbound SSL, it will not be able to establish the connection.
When the option "Block connection if server certificate is invalid" is enabled in Outbound SSL Inspection Settings, XGS will validate the CA certificate provide by the server.
If the CA issued by the web site is not listed in Trusted Certificate Authorities for outbound SSL, it will not be able to establish the connection.
Resolving The Problem
To resolve the problem, you must install the CA of the web server into the Trusted Certificate Authorities to allow XGS to trust the certificate issued by the web server:
Note: Two insecure CA certificates issued by VeriSign have been removed from the latest XGS firmware update. For more information, visit:
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941
- Retrieve the CA certificate of the web server.
- From the appliance Local Management Interface (LMI), click Manage System Settings > Network Settings > Outbound SSL Inspection Settings.
- Click the Trusted Certificate Authorities tab.
- Click New to input the certificate, or click Upload to upload the certificate file.
Note: Two insecure CA certificates issued by VeriSign have been removed from the latest XGS firmware update. For more information, visit:
https://knowledge.symantec.com/support/ssl-certificates-support/index?page=content&id=ALERT1941
[{"Product":{"code":"SSFSVP","label":"IBM QRadar Network Security"},"Business Unit":{"code":"BU059","label":"IBM Software w\/o TPS"},"Component":"SSL Inspection","Platform":[{"code":"PF009","label":"Firmware"}],"Version":"5.4","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}},{"Product":{"code":"SSHLHV","label":"IBM Security Network Protection"},"Business Unit":{"code":"BU008","label":"Security"},"Component":" ","Platform":[{"code":"","label":""}],"Version":"","Edition":"","Line of Business":{"code":"LOB24","label":"Security Software"}}]
Was this topic helpful?
Document Information
Modified date:
24 January 2021
UID
swg22005572