XG v18 does not use the Common Name of the website certificate.

Be aware the domain "*.sophos.com" and "sophos.com" is on a Hidden Rule called "System Exclusions", which can't be altered in any way by the Administrator User.

Also, I've didn't managed to replicate this with any other domain, could you give a better domain & server for this example?

Edit:

I've created a "Decrypt" Rule on top of everything, and those are my results after disabling the predefined "Exclusions" Rule at the top.

2021-01-03 11:43:36SSL/TLS inspectionmessageid="19004" log_type="SSL" log_component="SSL" log_subtype="Do not decrypt" severity="Information" user="###" src_ip="10.0.0.10" dst_ip="23.38.159.25" user_group="Auth Group" src_country="" dst_country="USA" src_port="50800" dst_port="443" app_name="" app_id="0" category="Software Updates" category_id="68" con_id="1437700480" rule_id="0" profile_id="1" rule_name="System exclusions" profile_name="Maximum compatibility" bitmask="Valid" key_type="KEY_TYPE__RSA" key_param="RSA 2048 bits" fingerprint="9c:7e:d6:2d:3d:71:bd:f6:65:1f:e1:79:b3:b4:fc:e8:c1:1d:58:14" resumed="0" cert_chain_served="TRUE" cipher_suite="TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384" sni="www.sophos.com" tls_version="TLS1.2" reason="" exception="" message=""

$ openssl s_client -connect www.sophos.com:443                           
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
verify return:1
depth=0 businessCategory = Private Organization, serialNumber = 02096520, jurisdictionC = GB, C = GB, ST = Oxfordshire, L = Abingdon, street = The Pentagon, O = Sophos Ltd., CN = www.sophos.com
verify return:1
---
Certificate chain
 0 s:businessCategory = Private Organization, serialNumber = 02096520, jurisdictionC = GB, C = GB, ST = Oxfordshire, L = Abingdon, street = The Pentagon, O = Sophos Ltd., CN = www.sophos.com
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign

$ openssl s_client -connect www.sophos.com:443 -servername www.sophos.com
CONNECTED(00000003)
depth=2 OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign
verify return:1
depth=1 C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
verify return:1
depth=0 businessCategory = Private Organization, serialNumber = 02096520, jurisdictionC = GB, C = GB, ST = Oxfordshire, L = Abingdon, street = The Pentagon, O = Sophos Ltd., CN = www.sophos.com
verify return:1
---
Certificate chain
 0 s:businessCategory = Private Organization, serialNumber = 02096520, jurisdictionC = GB, C = GB, ST = Oxfordshire, L = Abingdon, street = The Pentagon, O = Sophos Ltd., CN = www.sophos.com
   i:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
 1 s:C = BE, O = GlobalSign nv-sa, CN = GlobalSign Extended Validation CA - SHA256 - G3
   i:OU = GlobalSign Root CA - R3, O = GlobalSign, CN = GlobalSign

Here's what's interesting from the Logs.

• rule_id="0"
• rule_name="System exclusions"
• profile_name="Maximum compatibility"
• sni="www.sophos.com"

Thanks!

It depends on the Request.

Web Exceptions (Web -> Exceptions) work based on the SNI. 

If you request the Website based on the Domain Name, only DPI Exception based on Destination Host can work. 

Thank you for your reply.
I see, there is a rule called "System exclusions".

Another example is "www.mozilla.org".
The Common Name of the certificate is "www.mozilla.org". "mozilla.org" is included in the "Managed TLS exclusion list".

openssl s_client -connect www.mozilla.org:443 -servername www.mozilla.org
In this case, No decryption.
rule_id="1"
rule_name="Exclusions by website or category"

openssl s_client -connect www.mozilla.org:443
In this case, decryption.
rule_id is not "1".

Thank you for your reply.

Is the content written in KB-000035867 the case of Web Exceptions?
It says "Version: 16.01.0 onwards".
KB-000035867 is use the Common Name, right?

Adding the site to Web Exceptions did not change the result.

Web Exceptions will use the SNI, if present. This will take a higher priority. If the SNI is not present, it should fallback to the CN. 

If it works like that, it's okay, but it seems to be different.

Is that behavior using SNI and CN the same for Exceptions in SSL/TLS inspection rules?

If the client does not send SNI, the IP address is set to sni in the log. Is this related to the reason why CN is not used?

And it's also bad that the categories are different for IPv4 and IPv6, and they are inconsistent.

Web policy also does not use CN.

IPv6
sni="2001:db8::1"
category="InvalidUrl"

IPv4
sni="198.51.100.1"
category="IPAddress"