Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 589 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Understanding TLS decryption stats

Wayne Folta

XGS on 18.5.0. I'm looking at my Firewall rules and I have one that covers HTTP and HTTPS. This rule show 6GB in and 1GB out over a period of time. I also look at my TLS Inspection Rules and I have one that also covers HTTP and HTTPS. This rule shows 2GB in and 175MB out over the same period of time.

This is a pretty large mismatch. I can imagine that some of the descrepancy is due to the Firewall's rule tracking HTTP while the TLS Inspection rule matches HTTP but doesn't actually count it. (Which makes sense: HTTP is only in this rule because I'm using a Service Group that includes HTTP and HTTPS.) But it doesn't seem to me that in this modern era 2/3 of my HTTPS/HTTP traffic is HTTP. Am I missing something?

Could also be due to exclusions, but I don't think they're THAT extensive.

(Ultimately, I'm trying to track down TCP that is SSL/TLS that is not being decrypted and not because it's on an exclusion list, to try to add it to being decrypted.)



This thread was automatically locked due to age.
  • 0

    The exception is that huge. Most traffic, causing big data flow, is actually excepted due the service. Look at downloads, look at the data mass. Most of this stuff is microsoft (Updates, o365 etc.). There is a huge download size of other stuff, which is excluded (Zoom etc.). 

    They use HTTPs but its excluded. The goal is to inspect "unknown" traffic. 

  • 0 in reply to LuCar Toni

    Ah, okay. Thanks for letting me know. I tend to not be too anal about most things, but I really, really wanted to get the Decrypted up to nearly 100%. (I think the TLS log only logs things where it makes a decision, and doesn't log things that fall off the end of the TLS rules. I guess I could throw a don't decrypt at the end and see what it spews, though even then, using the most compatible setting I figure it can still reject some things.)

    In my case, I have one Windows machine on the network that's for a client, and the rest is Apple or other. Lots of Apple exceptions in the Sophos list so that probably accounts for a lot of the non-decrypted traffic as you say.

    If our mail server is external, is there any advantage to trying to decrypt IMAPS, POP3S, SMPTS on general principle? (I don't have the Mail XG subscription because it's oriented towards having an internal mail server.) My guess is that email will detect man-in-the-middle and have a fit, but if it's not worth doing -- i.e. no concrete benefits from IPS or other -- I won't bother trying.

  • 0 in reply to LuCar Toni

    I just checked my Firewall rule Web surfing traffic versus the Web TLS Inspection over a couple of days, and can confirm your observation about the extent of exceptions.

    Web traffic was 5.93 GB in and 2.02GB out, and of that the decrypted was 2.88 GB in and 198MB out. So about half of incoming and 1/10 of outgoing traffic was decrypted. Where about 3/4 of web traffic was in. Directly looking at Exceptions by website: in 1.85 GB, out 989.56 MB, so it doesn't all quite add up, but I'm still figuring it out.