SSL / TLS exclusions required for registration with Sophos Central
Sophos Switch devices try to register with Sophos Central the first time they start.
For this purpose, they contact the following FQDNs:
sophos.jfrog.io
jfrog-prod-use1-shared-virginia-main.s3.amazonaws.com
When the connection to sophos.jfrog.io
is blocked, the switch can't register itself with Sophos Central.
When the connection to jfrog-prod-use1-shared-virginia-main.s3.amazonaws.com
is blocked, the switch can't verify that the latest firmware is installed.
When the switch can't access either of these URLs the following log entry is shown on the Sophos switch:
DOWNLOADER error Failed to download the package. HTTP: 000
To add exclusions in Sophos Firewall, do as follows:
- Connect to your firewall.
- Go to Web > URL groups.
- Click Add.
- Enter a URL group name.
-
For Domain name to match, add the following domains:
*.sophos.com
sophos.jfrog.io
jfrog-prod-use1-shared-virginia-main.s3.amazonaws.com
-
Click Save.
- Go to Rules and policies > SSL/TLS inspection rules.
- Find and edit the built-in rule Exclusions by website.
- Under Categories and websites, click Add new item.
- Search for the URL group name you created and select it.
- Click Apply 1 selected items.
- Click Save.
Non-Sophos Firewall OS devices
Refer to your firewall's documentation on how to exclude traffic from inspection.