Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 28 subscribers
  • Views 767 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

TLS Inspection not on HTTPS

Kaspar Janßen

Hello,

I have noticed something I didn't expect and wonder if I misunderstood something or my firewall is "misbehaving".

To decrypt HTTPS traffic I have to enable "Scan HTTP and decrypted HTTPS"...

... and need a TLS Inspection rule that decrypts that https traffic. I got that.

Scan HTTP and decrypted HTTPS

Select to scan web traffic for malware.

This option doesn't turn on HTTPS decryption. To ensure HTTPS traffic is decrypted for scanning, use SSL/TLS inspection rules in DPI mode or select Decrypt HTTPS during web proxy filtering.

https://docs.sophos.com/nsg/sophos-firewall/18.5/Help/en-us/webhelp/onlinehelp/nsg/sfos/tasks/FirewallRuleAdd.html

If I don't enable "Scan HTTP and decrypted HTTPS" the HTTPS Traffic is not decrypted even when I have a matching TLS Inspection rule. So I need both the decrypt HTTPS. My consultant tells me that only a TLS Inspection rule is enough.

Can someone please confirm that I did everything right (fw rule + tls rule) or does my XG misbehave?

Thanks

Kaspar



This thread was automatically locked due to age.
Parents
  • 0

    This "Checkbox" simply mean, it will scan HTTP traffic (which is not encrypted) and HTTPS traffic IF possible. The HTTPS can only be scanned, if "something" decrypts it. 

    The proxy can decrypt the traffic (This are the checkboxes on the right). Or the DPI Engine can do this for you. 

    This checkbox only means, it will do AV scanning for traffic, matching one of both conditions: HTTP (unencrypted) or HTTPS (decrypted). It will not decrypt anything. 

  • 0 in reply to LuCar Toni

    Ok, I understand. I think I have to make it more clear:

    That page tells me that the traffic will be decrypted based on the TLS inspection rule. That is not the reality because I didn't set "Scan HTTP and decrypted HTTPS".

  • +1 in reply to Kaspar Janßen

    TLS/SSL Inspection rule has no relationship to the Checkbox, you are talking about. The Part, you describe is only the AV engine "looking into the traffic". 

    The decryption is enabled based on your TLS/SSL Inspection rule.

    Let rephrase this:

    If you download a Eicar test virus via HTTP, you can block this by enable "Scan HTTP and decrypted HTTPS". 

    If you download a Eicar Test virus via HTTPS, you can only block this by enable "Scan HTTP and decrypted HTTPS" AND enable a Decryption method like TLS/SSL Decryption rule. 

Reply
  • +1 in reply to Kaspar Janßen

    TLS/SSL Inspection rule has no relationship to the Checkbox, you are talking about. The Part, you describe is only the AV engine "looking into the traffic". 

    The decryption is enabled based on your TLS/SSL Inspection rule.

    Let rephrase this:

    If you download a Eicar test virus via HTTP, you can block this by enable "Scan HTTP and decrypted HTTPS". 

    If you download a Eicar Test virus via HTTPS, you can only block this by enable "Scan HTTP and decrypted HTTPS" AND enable a Decryption method like TLS/SSL Decryption rule. 

Children
  • 0 in reply to LuCar Toni

    I tested it by checking if I see the original TLS certificate or the one by the XG but your example with the Eicar test virus might be better.

    Your last sentence confirms that I need to enable "Scan HTTP and decrypted HTTPS" AND need a matching TLS Decryption rule. Thank you for that! A consultant keeps tells me that I only need a TLS Decryption rule but that is not what I am observing.