Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 3 replies
  • Subscribers 28 subscribers
  • Views 590 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Understanding TLS decryption stats

Wayne Folta

XGS on 18.5.0. I'm looking at my Firewall rules and I have one that covers HTTP and HTTPS. This rule show 6GB in and 1GB out over a period of time. I also look at my TLS Inspection Rules and I have one that also covers HTTP and HTTPS. This rule shows 2GB in and 175MB out over the same period of time.

This is a pretty large mismatch. I can imagine that some of the descrepancy is due to the Firewall's rule tracking HTTP while the TLS Inspection rule matches HTTP but doesn't actually count it. (Which makes sense: HTTP is only in this rule because I'm using a Service Group that includes HTTP and HTTPS.) But it doesn't seem to me that in this modern era 2/3 of my HTTPS/HTTP traffic is HTTP. Am I missing something?

Could also be due to exclusions, but I don't think they're THAT extensive.

(Ultimately, I'm trying to track down TCP that is SSL/TLS that is not being decrypted and not because it's on an exclusion list, to try to add it to being decrypted.)



This thread was automatically locked due to age.
Parents
  • 0

    The exception is that huge. Most traffic, causing big data flow, is actually excepted due the service. Look at downloads, look at the data mass. Most of this stuff is microsoft (Updates, o365 etc.). There is a huge download size of other stuff, which is excluded (Zoom etc.). 

    They use HTTPs but its excluded. The goal is to inspect "unknown" traffic. 

  • 0 in reply to LuCar Toni

    I just checked my Firewall rule Web surfing traffic versus the Web TLS Inspection over a couple of days, and can confirm your observation about the extent of exceptions.

    Web traffic was 5.93 GB in and 2.02GB out, and of that the decrypted was 2.88 GB in and 198MB out. So about half of incoming and 1/10 of outgoing traffic was decrypted. Where about 3/4 of web traffic was in. Directly looking at Exceptions by website: in 1.85 GB, out 989.56 MB, so it doesn't all quite add up, but I'm still figuring it out.

Reply
  • 0 in reply to LuCar Toni

    I just checked my Firewall rule Web surfing traffic versus the Web TLS Inspection over a couple of days, and can confirm your observation about the extent of exceptions.

    Web traffic was 5.93 GB in and 2.02GB out, and of that the decrypted was 2.88 GB in and 198MB out. So about half of incoming and 1/10 of outgoing traffic was decrypted. Where about 3/4 of web traffic was in. Directly looking at Exceptions by website: in 1.85 GB, out 989.56 MB, so it doesn't all quite add up, but I'm still figuring it out.

Children
No Data