disable https scanning

Question

I'm using Sophos XG and basically want to disable HTTPS (SSL) web filter scanning support so I don't want to deal with all those https certifacate exceptions. 
 
 How can i do this?

Michael Dunn · Answer

NOTE: This post has been updated to be more accurate. I apologize - I'm a web guy not a firewall guy and I should have tested before posting rather than the other way around. :) Basically, if HTTPS traffic on port 443 is going to go through the XG, it needs to have one of two things: A) Have a firewall rule that says HTTPS or TCP traffic is an allowed service Then, once it goes through the XG it could either pass though the web proxy, or it could just be forwarded. It will be sent to the web proxy in the following cases: 1) HTTPS Decrypt and Scan is on 2) Web Policy is selected (not None) 3) microapp-discovery is on * If you turn microapp-discovery off you need to make sure you still have a firewall rule that allows https. 
 * The future fix will turn this off by default and then make other changes so that the system works correctly when off 
 
 Can you take a look at your firewall for rules that apply to this traffic. Do you have any rule that has a Web Policy or has Decrypt and Scan HTTPS on? Do you have any rule that include HTTPS? 
 If the answer is no, then the reason is there. You need a rule that allows HTTPS to go across the firewall. 
 
 However this creates an interesting problem for us (people who are trying to fix stuff). How many other customers have firewall rules that don't have a firewall rule for web policy and don't have a rule for HTTPS, but unknowingly rely on the microapp-discovery behavior? If we deploy a fix so that port :443 doesn't go to the proxy when it doesn't need to are we going to break lots of other customers who don't have correct firewall rules? Ugh - the fix is now in jeopardy.

XueMin Li · Answer

I find that after changing uplink Port from "WAN" zone to "DMZ" zone, then the policy that explicitly allowing HTTPS will NOT do deep scanning. 
 Not sure if it's because I'm using bridge mode in XG firewall.

Aditya Patel · Answer

HI Huseyin, 
 
 Make sure you have checked the settings 
 1) You may disable the HTTPS malware scanning on your firewall rules. 
 2) Disable Micro - App scanning on your application filters 
 3) Run the command in console 
 console > system application_classification microapp-discovery off 
 You may verify the command by executing another command 
 console > system application_classification microapp-discovery show 
 These steps will ensure you will not encounter any HTTPS error except while accessing the user/XG portal.