I'm using Sophos XG and basically want to disable HTTPS (SSL) web filter scanning support so I don't want to deal with all those https certifacate exceptions.
How can i do this?
Oh, just to kind of wrap this up- we wouldn't have had a problem with the hijacking if the performance wasn't so horrible. Even with HTTPS decryption turned off (which should just make it a passthrough service) it was taking 30+ seconds to load HTTPS websites behind these devices. It was horrible for our users. If the service would actually perform properly with decryption off we wouldn't have had to completely disable it.
I did some testing, and then updated my answer to be more accurate. I apologize - I'm a web guy not a firewall guy and I should have tested before posting rather than the other way around. :)
The micoapp-discovery issue is about trying to make it "home user" or anything. In Cyberroam it was that is an override used by Sales Engineers as a proof-of-concept that forced microapp detection. In XG, the firewall team understood it one way and the web team understood it a different way. This ended up with a situation that worked, except in the case where the admin only wanted the HTTPS to pass through without going through the proxy. We thought it would be fine even if it did go through the proxy, but in the real world some things (like outlook anywhere) don't like it.
As for the performance problem that Robert experienced - this must be some other configuration issue. Please don't suggest that the XG has a 30-second HTTPS performance problem. Yes that might have been what you experienced but that is not normal. It is something in the configuration.
> As for the performance problem that Robert experienced - this must be some other configuration issue. Please don't suggest that the XG has a 30-second HTTPS performance problem. Yes that might have been what you experienced but that is not normal. It is something in the configuration.
These are brand new devices and the only configuration we did with regards to the proxy was guided by your support. Bypassing the proxy following the steps you told me solved the problem, and when we enable the proxy (whose settings we have literally not changed at all) the SSL delay comes back.
Make of that what you will, but in our experience the performance is awful. If you have suggestions on what configuration should be changed by all means let us know, but out of the box and following your company's support team's instructions to disable decryption it was unusable due to performance issues.
XG 16.05 MR4 has a fix included (NC-13909) in it that improves the situation.
On all boxes that5 upgrade to XG 16.05 MR4, the microapp-discovery flag in console has been migrated to be off by default.
That means if you have no firewall rules that apply to HTTPS (port 443), then the HTTPS traffic should flow across with no interruption and the httpproxy will not try to give friendly error messages - which is the fix that was already presented here as a workaround.
There are some additional changes in order to update application detection in HTTPS. For example, in the UI the "Enable micro-app discovery" flag on Application Control filters is removed.
If you want to use application detection then it respects your firewall rules.
If you have no firewall rules for HTTPS (port 443), then applications that use HTTPS are not detected.
If you have a firewall rules for HTTPS, but no decryption, then applications that use HTTPS are detected only by domain name only (eg Facebook).
If you have a firewall rules for HTTPS, with decryption, then applications that use HTTPS are detected only by full URL (eg Facebook Chat).
Anyone who has already implemented the workaround posted in this thread does not need to do anything. However for reference the correct settings for all users with MR4 is:
system application_classification microapp-discovery off
system application_classification on
Hey Michael,
I have a few questions because i am also having problems with disabling https scanning. Basically i dont want a
1. If a firewall rules is configured as LAN to WAN with any services and its user based will that data go through the proxy?
2. If a web policy is applied to lan to wan firewall rule with any services enabled. will that enable https scanning?
3. Basically i want some users to have https scanning enabled to web filtering is more accurate and for some users i dont want any https scanning or web filtering so is that possible with the MR4 version? because the current MR3 version i am having trouble with this scenario.
1)
If the firewall rule has Services Any, that includes the service HTTPS running on port 443. So port 443 traffic will go through the httpproxy.
2)
Assuming (1) is true, there are three scenarios are true for HTTPS:
a) You have "Decrypt and Scan HTTPS" off, and Web Policy set to None
- You will get XG-generated error messages on HTTPS traffic, but not much else.
b) You have "Decrypt and Scan HTTPS" off, and Web Policy set to some policy
- You will get categorization enforcement based on domain name only (not path).
c) You have "Decrypt and Scan HTTPS" on, and Web Policy set to some policy
- You will get categorization enforcement based path. You will get virus scanning, and filettype blocking. You will get HTTPS-only features like SafeSearch.
3)
If you want absolutely no interference from the XG, the firewall rules that applies must not have services of Any, TCP, or HTTPS.
If you want minimal interference from the XG, the firewall rules that applies can include those services, but no Web Policy.
If you want low interference from the XG but still want to prevent them (eg) from visiting porn or malware sites, the firewall rules that applies can include those services, and a Web Policy.
