Regenerating a software license for ProxySG 300-5 and 9000-5/10/20 units adds an SSL-Proxy license; in some cases, this can cause SSL traffic to be blocked

<< Back to Knowledge Search

Technical Alert

Affected Products


SG9000-30/40, SG300-10/35, SG600 and SG900 units all have the SSL Proxy functionality present by default. This change does not impact SG210, SG510, SG810 or SG8100 units.


When regenerating a software license for the above-mentioned hardware (common when adding or removing a feature from a licensed product), an SSL Proxy license will be added. The addition of an SSL Proxy license can cause traffic directed to SSL sites to be blocked in the following use cases:

1. If all of the following are true:

  •    A TCP-Tunnel or HTTP service is configured and set to "Intercept"
  •    Protocol Detection has been enabled on that service (it is disabled by default)
  •    SSL traffic is sent through that service

2. If at any time in the past an SSL-Intercept policy was created, but not disabled because there was no valid SSL Proxy license.

3. If a SOCKS proxy or "Default" service is configured to intercept, and protocol detection has been enabled (again, this is disabled by default).

In these cases, blockage occurs when SSL traffic goes to a server that uses an SSL certificate that is not trusted by the ProxySG appliance. When this happens, the client will not be given an option to accept the untrusted certificate and the client will be delivered an exception page (denial).

To prevent these blockages, you can do one of two things:

A) Add a policy to disable SSL interception
In the Visual Policy Manager, create a NEW "Web Access Layer" (do NOT reuse an existing one for this).
Change the action on the rule to "Disable SSL Detection" instead of the "deny" present in that rule by default.
This layer should be placed last to ensure the rule is applied. To change its location, click the Edit menu, then "Reorder layers..." option.
o If you are using a combination of policies using the Visual Policy Manager and another policy file such as Local or Central, please open a support ticket for assistance in getting this policy installed in those files.

B) Disable protocol detection on all service ports where SSL traffic may inadvertently go.

NOTE: Regenerating the license (and therefore adding the SSL Proxy license) is a permanent change. You cannot revert the license to remove the SSL Proxy functionality.


Previously, the SSL Proxy license was offered as an option that was purchased separately. Complimentary SSL Proxy licenses are now offered to provide more functionality on the latest generation hardware at no additional cost. Complimentary licenses are not available on older-generation hardware.


This is an intentional change, and thus there is no "resolution" for this.


Do not regenerate the license if you wish to retain the old functionality.

Bug Number
InQuira Doc IdTFA65

Article Feedback

Hide Properties
First Published      10/01/2014
Last Modified      10/01/2014
Last Published      10/01/2014
Article Audience
Product      SG300, SG600, SG9000
Software      SGOS 5.5, SGOS 6
Topic      Configuration / WUI / CLI, Installation / Configuration, Licensing, Policy Management, Services, SSL / HTTPS, Upgrade / Maintenance
Article Number      000007621
Was this helpful?
Previous MonthNext Month