Watchguard XTM HTTPS Deep Inspection with Active Directory

On the XTM:

Create FW CSR via Firebox Sytem Manager, use type Proxy Authority

On the Domain Controller:

– Upgrade DC Cert authority to issue sha-256 certs link

– Export root and intermediate certs type Base64

– Import FW CSR via http://DC-ip/certsrv, type subordinate ca

– Export FW Cert type Base64

On the XTM:

– First import root then intermediate certs type IPSEC, Web Server, Other

– Then import FW Cert type Proxy Authority


Create https proxy policy in Policy Manager

Content Inspection: Enable deep inspection, do not Allow SSLv3, action inspect

Domain Names: None matched: Inspect

Test to find out if the firewall issues the right certs in your browser:















Hits: 240