XGS Firewall - Application Sync - SSL-Inspection - Rules?

Question

Hello Sophos Community, 
 I got a Question about designing specific Rules for Applications that are very untransparent how they handle SSL Fingerprinting. 
 Example: 
 From: LAN Zone - From: Specific Host - With Application A (Application RULE 1) - To: WAN Zone - To: Specific Host - With: Protocol A-B-C Disable DPI and Proxy SSL-Inspection 
 Everything else 
 Example: 
 From: LAN Zone - From: Any Host - With diverse set of Applications (Application RULE 2) - To: WAN Zone - To: Any - With: Protocol A-B-C 
 The Applications are Synced with Intercept X Adv. with XDR to the Appliance and there are specific Application Rules -> 
 Example: Rule 1 - Has an allow for the Application that needs NO SSL-Inspection 
 Rule 2 - Has all the other Applications that are Sanctioned and specified with SSL-Inspection 
 The reason is the following: 
 The Application also connects with IP-Addresses that change over time plus it does not like to be SSL-Inspected. I tried with Rules Exclusions for the SSL-Inspection but since the IP-Address Changes over-time it is a very daunting task... 
 Best regards 
 Val.

LuCar Toni · Accepted Answer

SFOS works on a port level and applies policies to allow/deny certain applications. So to speak, most applications are working on 443 nowadays, therefore you cannot allow/deny based on SSL Inspection. The problem is, the decision to do or dont do ssl inspection has to be done early on, otherwise the application will fail. Therefore you cannot rely on applications methods in that term. 
 You can do the SNI (server name identification) which is likely the same in this situation. Therefore exclude it from TLS exceptions.

XGS Firewall - Application Sync - SSL-Inspection - Rules?

Top Replies