The system's components in web isolation gateways use an internal trust mechanism, based on internal certificates and self-signed CAs. These are uniquely generated per installation, during the first-time wizard execution.
If these certificates have expired, push settings will fail and the gateways will show "Error" status and "Timed out" in the details column.
This applies to web isolation on-premises only.
In a very early product version, these certificates were set to expire 5 years after the first-time-wizard run.
How To Check For Expired Internal Certificate
For GW / Management:
For PDP:
Temporary Workaround Patch
Download the patch via any Web Isolation GW (even in a test tenant) with the following fgcli command:
Run the patch on every gateway
Revert Temporary Workaround Patch (only if needed!)
Download the patch removal with the following fgcli command:
Run the patch removal on every gateway
***Note: this is a temporary workaround that will not survive a version upgrade***
Permanent Solution
The workaround described above is only used as an immediate mitigation to stabilize the environment. The proper and permanent solution is to run the manual certificate renewal process. However, this should only be done by the Web Isolation Customer Focus team and not by Broadcom Support.
Please open a ticket with Broadcom Support and a session will be scheduled with Web Isolation Customer Focus team to run the permanent fix.
It's important to stress this is not a security vulnerability, but rather an operational issue, which results in disruption of the Web Isolation service.
This is not related to the man-in-the-middle CA certificate used in Web Isolation, but rather to the internal communication self-signed CA public key.
This issue is only relevant for on-premises customers. For cloud deployments we have ensured that no customer is impacted.