Guest User!

You are not Sophos Staff.

Thread Info
  • State Suggested Answer
  • +3 person also asked this people also asked this
  • Locked Locked
  • Replies 18 replies
  • Answers 3 answers
  • Subscribers 33 subscribers
  • Views 97136 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

disable https scanning

Huseyin Uslu

I'm using Sophos XG and basically want to disable HTTPS (SSL) web filter scanning support so I don't want to deal with all those https certifacate exceptions.

 

How can i do this?



This thread was automatically locked due to age.
Parents
  • 0

    Does this actually disable the proxy from transparently grabbing the traffic or does it simply turn off the decryption portion of it? We followed this advice but all HTTPS sites are now taking a long time to establish their connections for users behind the XG devices.

  • +2 in reply to RobertHafner

    NOTE: This post has been updated to be more accurate.  I apologize - I'm a web guy not a firewall guy and I should have tested before posting rather than the other way around.  :)


    Basically, if HTTPS traffic on port 443 is going to go through the XG, it needs to have one of two things:
    A) Have a firewall rule that says HTTPS or TCP traffic is an allowed service

    Then, once it goes through the XG it could either pass though the web proxy, or it could just be forwarded.  It will be sent to the web proxy in the following cases:
    1) HTTPS Decrypt and Scan is on
    2) Web Policy is selected (not None)
    3) microapp-discovery is on *

    If you turn microapp-discovery off you need to make sure you still have a firewall rule that allows https.

    * The future fix will turn this off by default and then make other changes so that the system works correctly when off

     

    Can you take a look at your firewall for rules that apply to this traffic.
    Do you have any rule that has a Web Policy or has Decrypt and Scan HTTPS on?
    Do you have any rule that include HTTPS?

    If the answer is no, then the reason is there.  You need a rule that allows HTTPS to go across the firewall.

     

    However this creates an interesting problem for us (people who are trying to fix stuff).  How many other customers have firewall rules that don't have a firewall rule for web policy and don't have a rule for HTTPS, but unknowingly rely on the microapp-discovery behavior?  If we deploy a fix so that port :443 doesn't go to the proxy when it doesn't need to are we going to break lots of other customers who don't have correct firewall rules?  Ugh - the fix is now in jeopardy.

  • 0 in reply to Michael Dunn

    Honestly at this point I'm regretting not throwing a fit when we were giving the XG devices instead of UTM ones (this is an issue with our vendor, not with sophos). I can honestly say that after this experience I will never purchase an XG line again.

    It turns out it was still enabled because we had a web profile in use somewhere. I will say that the policy selection UI is awful- you can see which policies are in use but you can't just click on that policy to see where it is in use or to disable it from there. Instead you have to individually check each firewall rule for it (which is it's own nightmare since you've disable the back button for the firewall rule page). It also means we can't scan HTTP traffic without scanning HTTPS as well.

    Things are definitely faster now, but I am really shocked at just how low the quality of these devices are compared to the UTMs, and I'm going to try to reach out to support and the vendor to see if we can swap out for the UTM instead. I really hope there aren't any plans to get rid of the UTM line completely because I don't think we'll ever be willing to buy an XG device after having used both.

Reply
  • 0 in reply to Michael Dunn

    Honestly at this point I'm regretting not throwing a fit when we were giving the XG devices instead of UTM ones (this is an issue with our vendor, not with sophos). I can honestly say that after this experience I will never purchase an XG line again.

    It turns out it was still enabled because we had a web profile in use somewhere. I will say that the policy selection UI is awful- you can see which policies are in use but you can't just click on that policy to see where it is in use or to disable it from there. Instead you have to individually check each firewall rule for it (which is it's own nightmare since you've disable the back button for the firewall rule page). It also means we can't scan HTTP traffic without scanning HTTPS as well.

    Things are definitely faster now, but I am really shocked at just how low the quality of these devices are compared to the UTMs, and I'm going to try to reach out to support and the vendor to see if we can swap out for the UTM instead. I really hope there aren't any plans to get rid of the UTM line completely because I don't think we'll ever be willing to buy an XG device after having used both.

Children
No Data