Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 27 subscribers
  • Views 521 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

help with DPI

Ario Rezaei

Hello everyone,

I am brand new to Sophos.  I have a home license version deployed in my home lab and evaluating to see if I want to move my business over to sophos from fortinet.   My issue is I don't think DPI is working.  From everything I read, it is supposed to be on out of the box.  I even turned off the exception rules.  However when I visit websites through it, I am still getting the original certifiate signer without any warnings about the certificates and I am not able to see the sophos certificate signing anything.   Web traffic is set to default policy.    Am I missing something ?

Thanks for the help.



This thread was automatically locked due to age.
Parents
  • 0

    Please post the version you are using and a copy of your firewall rule.

    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rfcat_vk

    Thank for replying.

    Version: SFVH (SFOS 19.5.0 GA-Build197)

    Rules are essentially out of the box fresh install.

    <?xml version="1.0" encoding="UTF-8"?>
    <Configuration APIVersion="1905.1" IPS_CAT_VER="0">
      <FirewallRule transactionid="">
        <Name>[example] Traffic to Internal Zones</Name>
        <Description>A disabled Firewall rule with the destination zone as LAN, WiFi, VPN
    or DMZ . Such rules would be added to Traffic to Internal Zones group on the first
    match basis if user selects automatic grouping option.</Description>
        <IPFamily>IPv4</IPFamily>
        <Status>Disable</Status>
        <Position>Top</Position>
        <PolicyType>User</PolicyType>
        <UserPolicy>
          <Action>Drop</Action>
          <LogTraffic>Enable</LogTraffic>
          <DestinationZones>
            <Zone>LAN</Zone>
            <Zone>DMZ</Zone>
            <Zone>WiFi</Zone>
            <Zone>VPN</Zone>
          </DestinationZones>
          <Schedule>All The Time</Schedule>
          <SkipLocalDestined>Disable</SkipLocalDestined>
          <MatchIdentity>Enable</MatchIdentity>
          <DataAccounting>Disable</DataAccounting>
          <ShowCaptivePortal>Enable</ShowCaptivePortal>
        </UserPolicy>
      </FirewallRule>
      <FirewallRule transactionid="">
        <Name>[example] Traffic to WAN</Name>
        <Description>A disabled Firewall rule with the destination zone as WAN. Such rules
    would be added to Traffic to WAN group on the first match basis if user selects
    automatic grouping option.</Description>
        <IPFamily>IPv4</IPFamily>
        <Status>Disable</Status>
        <Position>After</Position>
        <PolicyType>Network</PolicyType>
        <After>
          <Name>[example] Traffic to Internal Zones</Name>
        </After>
        <NetworkPolicy>
          <Action>Drop</Action>
          <LogTraffic>Enable</LogTraffic>
          <SkipLocalDestined>Disable</SkipLocalDestined>
          <DestinationZones>
            <Zone>WAN</Zone>
          </DestinationZones>
          <Schedule>All The Time</Schedule>
        </NetworkPolicy>
      </FirewallRule>
      <FirewallRule transactionid="">
        <Name>[example] Traffic to DMZ</Name>
        <Description>A disabled Firewall rule with the destination zone as DMZ. Such rules
    would be added to Traffic to DMZ group on the first match basis if user selects
    automatic grouping option.</Description>
        <IPFamily>IPv4</IPFamily>
        <Status>Disable</Status>
        <Position>After</Position>
        <PolicyType>User</PolicyType>
        <After>
          <Name>[example] Traffic to WAN</Name>
        </After>
        <UserPolicy>
          <Action>Drop</Action>
          <LogTraffic>Enable</LogTraffic>
          <DestinationZones>
            <Zone>DMZ</Zone>
          </DestinationZones>
          <Schedule>All The Time</Schedule>
          <SkipLocalDestined>Disable</SkipLocalDestined>
          <MatchIdentity>Enable</MatchIdentity>
          <DataAccounting>Disable</DataAccounting>
          <ShowCaptivePortal>Enable</ShowCaptivePortal>
        </UserPolicy>
      </FirewallRule>
      <FirewallRule transactionid="">
        <Name>Auto added firewall policy for MTA</Name>
        <Description>This rule was added automatically by SFOS MTA. However you could
    edit this policy based on network requirement.</Description>
        <IPFamily>IPv4</IPFamily>
        <Status>Enable</Status>
        <Position>After</Position>
        <PolicyType>Network</PolicyType>
        <After>
          <Name>[example] Traffic to DMZ</Name>
        </After>
        <NetworkPolicy>
          <Action>Accept</Action>
          <LogTraffic>Disable</LogTraffic>
          <SkipLocalDestined>Disable</SkipLocalDestined>
          <Schedule>All The Time</Schedule>
          <Services>
            <Service>SMTP</Service>
            <Service>SMTP(S)</Service>
          </Services>
          <DSCPMarking>-1</DSCPMarking>
          <WebFilter>None</WebFilter>
          <WebCategoryBaseQoSPolicy> </WebCategoryBaseQoSPolicy>
          <BlockQuickQuic>Disable</BlockQuickQuic>
          <ScanVirus>Disable</ScanVirus>
          <ZeroDayProtection>Disable</ZeroDayProtection>
          <ProxyMode>Disable</ProxyMode>
          <DecryptHTTPS>Disable</DecryptHTTPS>
          <ApplicationControl>None</ApplicationControl>
          <ApplicationBaseQoSPolicy> </ApplicationBaseQoSPolicy>
          <IntrusionPrevention>None</IntrusionPrevention>
          <TrafficShappingPolicy>None</TrafficShappingPolicy>
          <ScanSMTP>Enable</ScanSMTP>
          <ScanSMTPS>Enable</ScanSMTPS>
          <ScanIMAP>Disable</ScanIMAP>
          <ScanIMAPS>Disable</ScanIMAPS>
          <ScanPOP3>Disable</ScanPOP3>
          <ScanPOP3S>Disable</ScanPOP3S>
          <ScanFTP>Disable</ScanFTP>
          <SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat>
          <MinimumSourceHBPermitted>No Restriction</MinimumSourceHBPermitted>
          <DestSecurityHeartbeat>Disable</DestSecurityHeartbeat>
          <MinimumDestinationHBPermitted>No Restriction</
    MinimumDestinationHBPermitted>
        </NetworkPolicy>
      </FirewallRule>
      <FirewallRule transactionid="">
        <Name>#Default_Network_Policy</Name>
        <Description/>
        <IPFamily>IPv4</IPFamily>
        <Status>Enable</Status>
        <Position>After</Position>
        <PolicyType>Network</PolicyType>
        <After>
          <Name>Auto added firewall policy for MTA</Name>
        </After>
        <NetworkPolicy>
          <Action>Accept</Action>
          <LogTraffic>Disable</LogTraffic>
          <SkipLocalDestined>Disable</SkipLocalDestined>
          <SourceZones>
            <Zone>LAN</Zone>
          </SourceZones>
          <DestinationZones>
            <Zone>WAN</Zone>
          </DestinationZones>
          <Schedule>All The Time</Schedule>
          <DSCPMarking>-1</DSCPMarking>
          <WebFilter>Default Policy</WebFilter>
          <WebCategoryBaseQoSPolicy> </WebCategoryBaseQoSPolicy>
          <BlockQuickQuic>Enable</BlockQuickQuic>
          <ScanVirus>Enable</ScanVirus>
          <ZeroDayProtection>Enable</ZeroDayProtection>
          <ProxyMode>Disable</ProxyMode>
          <DecryptHTTPS>Disable</DecryptHTTPS>
          <ApplicationControl>None</ApplicationControl>
          <ApplicationBaseQoSPolicy> </ApplicationBaseQoSPolicy>
          <IntrusionPrevention>lantowan_general</IntrusionPrevention>
          <TrafficShappingPolicy>None</TrafficShappingPolicy>
          <ScanSMTP>Disable</ScanSMTP>
          <ScanSMTPS>Disable</ScanSMTPS>
          <ScanIMAP>Disable</ScanIMAP>
          <ScanIMAPS>Disable</ScanIMAPS>
          <ScanPOP3>Disable</ScanPOP3>
          <ScanPOP3S>Disable</ScanPOP3S>
          <ScanFTP>Disable</ScanFTP>
          <SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat>
          <MinimumSourceHBPermitted>No Restriction</MinimumSourceHBPermitted>
          <DestSecurityHeartbeat>Disable</DestSecurityHeartbeat>
          <MinimumDestinationHBPermitted>No Restriction</
    MinimumDestinationHBPermitted>
        </NetworkPolicy>
      </FirewallRule>
    </Configuration>

Reply
  • 0 in reply to rfcat_vk

    Thank for replying.

    Version: SFVH (SFOS 19.5.0 GA-Build197)

    Rules are essentially out of the box fresh install.

    <?xml version="1.0" encoding="UTF-8"?>
    <Configuration APIVersion="1905.1" IPS_CAT_VER="0">
      <FirewallRule transactionid="">
        <Name>[example] Traffic to Internal Zones</Name>
        <Description>A disabled Firewall rule with the destination zone as LAN, WiFi, VPN
    or DMZ . Such rules would be added to Traffic to Internal Zones group on the first
    match basis if user selects automatic grouping option.</Description>
        <IPFamily>IPv4</IPFamily>
        <Status>Disable</Status>
        <Position>Top</Position>
        <PolicyType>User</PolicyType>
        <UserPolicy>
          <Action>Drop</Action>
          <LogTraffic>Enable</LogTraffic>
          <DestinationZones>
            <Zone>LAN</Zone>
            <Zone>DMZ</Zone>
            <Zone>WiFi</Zone>
            <Zone>VPN</Zone>
          </DestinationZones>
          <Schedule>All The Time</Schedule>
          <SkipLocalDestined>Disable</SkipLocalDestined>
          <MatchIdentity>Enable</MatchIdentity>
          <DataAccounting>Disable</DataAccounting>
          <ShowCaptivePortal>Enable</ShowCaptivePortal>
        </UserPolicy>
      </FirewallRule>
      <FirewallRule transactionid="">
        <Name>[example] Traffic to WAN</Name>
        <Description>A disabled Firewall rule with the destination zone as WAN. Such rules
    would be added to Traffic to WAN group on the first match basis if user selects
    automatic grouping option.</Description>
        <IPFamily>IPv4</IPFamily>
        <Status>Disable</Status>
        <Position>After</Position>
        <PolicyType>Network</PolicyType>
        <After>
          <Name>[example] Traffic to Internal Zones</Name>
        </After>
        <NetworkPolicy>
          <Action>Drop</Action>
          <LogTraffic>Enable</LogTraffic>
          <SkipLocalDestined>Disable</SkipLocalDestined>
          <DestinationZones>
            <Zone>WAN</Zone>
          </DestinationZones>
          <Schedule>All The Time</Schedule>
        </NetworkPolicy>
      </FirewallRule>
      <FirewallRule transactionid="">
        <Name>[example] Traffic to DMZ</Name>
        <Description>A disabled Firewall rule with the destination zone as DMZ. Such rules
    would be added to Traffic to DMZ group on the first match basis if user selects
    automatic grouping option.</Description>
        <IPFamily>IPv4</IPFamily>
        <Status>Disable</Status>
        <Position>After</Position>
        <PolicyType>User</PolicyType>
        <After>
          <Name>[example] Traffic to WAN</Name>
        </After>
        <UserPolicy>
          <Action>Drop</Action>
          <LogTraffic>Enable</LogTraffic>
          <DestinationZones>
            <Zone>DMZ</Zone>
          </DestinationZones>
          <Schedule>All The Time</Schedule>
          <SkipLocalDestined>Disable</SkipLocalDestined>
          <MatchIdentity>Enable</MatchIdentity>
          <DataAccounting>Disable</DataAccounting>
          <ShowCaptivePortal>Enable</ShowCaptivePortal>
        </UserPolicy>
      </FirewallRule>
      <FirewallRule transactionid="">
        <Name>Auto added firewall policy for MTA</Name>
        <Description>This rule was added automatically by SFOS MTA. However you could
    edit this policy based on network requirement.</Description>
        <IPFamily>IPv4</IPFamily>
        <Status>Enable</Status>
        <Position>After</Position>
        <PolicyType>Network</PolicyType>
        <After>
          <Name>[example] Traffic to DMZ</Name>
        </After>
        <NetworkPolicy>
          <Action>Accept</Action>
          <LogTraffic>Disable</LogTraffic>
          <SkipLocalDestined>Disable</SkipLocalDestined>
          <Schedule>All The Time</Schedule>
          <Services>
            <Service>SMTP</Service>
            <Service>SMTP(S)</Service>
          </Services>
          <DSCPMarking>-1</DSCPMarking>
          <WebFilter>None</WebFilter>
          <WebCategoryBaseQoSPolicy> </WebCategoryBaseQoSPolicy>
          <BlockQuickQuic>Disable</BlockQuickQuic>
          <ScanVirus>Disable</ScanVirus>
          <ZeroDayProtection>Disable</ZeroDayProtection>
          <ProxyMode>Disable</ProxyMode>
          <DecryptHTTPS>Disable</DecryptHTTPS>
          <ApplicationControl>None</ApplicationControl>
          <ApplicationBaseQoSPolicy> </ApplicationBaseQoSPolicy>
          <IntrusionPrevention>None</IntrusionPrevention>
          <TrafficShappingPolicy>None</TrafficShappingPolicy>
          <ScanSMTP>Enable</ScanSMTP>
          <ScanSMTPS>Enable</ScanSMTPS>
          <ScanIMAP>Disable</ScanIMAP>
          <ScanIMAPS>Disable</ScanIMAPS>
          <ScanPOP3>Disable</ScanPOP3>
          <ScanPOP3S>Disable</ScanPOP3S>
          <ScanFTP>Disable</ScanFTP>
          <SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat>
          <MinimumSourceHBPermitted>No Restriction</MinimumSourceHBPermitted>
          <DestSecurityHeartbeat>Disable</DestSecurityHeartbeat>
          <MinimumDestinationHBPermitted>No Restriction</
    MinimumDestinationHBPermitted>
        </NetworkPolicy>
      </FirewallRule>
      <FirewallRule transactionid="">
        <Name>#Default_Network_Policy</Name>
        <Description/>
        <IPFamily>IPv4</IPFamily>
        <Status>Enable</Status>
        <Position>After</Position>
        <PolicyType>Network</PolicyType>
        <After>
          <Name>Auto added firewall policy for MTA</Name>
        </After>
        <NetworkPolicy>
          <Action>Accept</Action>
          <LogTraffic>Disable</LogTraffic>
          <SkipLocalDestined>Disable</SkipLocalDestined>
          <SourceZones>
            <Zone>LAN</Zone>
          </SourceZones>
          <DestinationZones>
            <Zone>WAN</Zone>
          </DestinationZones>
          <Schedule>All The Time</Schedule>
          <DSCPMarking>-1</DSCPMarking>
          <WebFilter>Default Policy</WebFilter>
          <WebCategoryBaseQoSPolicy> </WebCategoryBaseQoSPolicy>
          <BlockQuickQuic>Enable</BlockQuickQuic>
          <ScanVirus>Enable</ScanVirus>
          <ZeroDayProtection>Enable</ZeroDayProtection>
          <ProxyMode>Disable</ProxyMode>
          <DecryptHTTPS>Disable</DecryptHTTPS>
          <ApplicationControl>None</ApplicationControl>
          <ApplicationBaseQoSPolicy> </ApplicationBaseQoSPolicy>
          <IntrusionPrevention>lantowan_general</IntrusionPrevention>
          <TrafficShappingPolicy>None</TrafficShappingPolicy>
          <ScanSMTP>Disable</ScanSMTP>
          <ScanSMTPS>Disable</ScanSMTPS>
          <ScanIMAP>Disable</ScanIMAP>
          <ScanIMAPS>Disable</ScanIMAPS>
          <ScanPOP3>Disable</ScanPOP3>
          <ScanPOP3S>Disable</ScanPOP3S>
          <ScanFTP>Disable</ScanFTP>
          <SourceSecurityHeartbeat>Disable</SourceSecurityHeartbeat>
          <MinimumSourceHBPermitted>No Restriction</MinimumSourceHBPermitted>
          <DestSecurityHeartbeat>Disable</DestSecurityHeartbeat>
          <MinimumDestinationHBPermitted>No Restriction</
    MinimumDestinationHBPermitted>
        </NetworkPolicy>
      </FirewallRule>
    </Configuration>

Children
No Data
Share Feedback
×

Submitted a Tech Support Case lately from the Support Portal?