SSL/TLS inspection rules

With SSL/TLS inspection rules, you can intercept and decrypt SSL and TLS connections over TCP, enabling XG Firewall to enforce secure connections between clients and web servers.

SSL/TLS inspection enables the prevention of malware transmitted through encrypted connections.

You can enforce policy-driven connections and decryption for inbound and outbound SSL/TLS traffic based on the traffic and risk level.

SSL/TLS inspection rules don't affect the decryption of traffic handled by the web proxy. You specify the method of web filtering (web proxy or the DPI engine) in firewall rules. By default, XG Firewall uses the DPI engine, applying SSL/TLS inspection rules to traffic matching the firewall rule criteria.

SSL/TLS inspection rules are turned on by default for fresh installations. For deployments migrating from SFOS 17.5 and earlier, they're turned off by default. You can turn them on or off manually.

CAUTION When SSL/TLS inspection rules are turned off, XG Firewall won't apply them to the connections. The control center and log viewer won't show the SSL/TLS connection and decryption details.
Warning Android devices are known to generate SSL/TLS certificate errors, causing decryption to fail. We recommend creating an SSL/TLS exclusion list for all Android devices.

Rule table actions

  • You can filter the rules by the source, destination, and rule ID.
  • To reset the rule filter, select Reset filter.

Click More options More options button to specify the following actions:

  • To edit or delete a rule, select the action.
  • To clone or add a rule next to an existing rule, select the action.
  • To turn on or turn off a rule, select the switch.

To change the position of a rule, drag and drop the Rule handle (Rule handle button). XG Firewall evaluates rules from the top down until it finds a match. Once it finds a match for the packet, it doesn’t evaluate subsequent rules. Position the specific rules above the less specific rules.

SSL/TLS inspection rules

SSL/TLS inspection detects SSL/TLS traffic on any TCP port. Inspection rules apply to detected SSL/TLS connections. You can specify rules to decrypt traffic based on the source, destination, users and groups, services, websites, and web categories. To take effect, the rule must find a match in all criteria.

You need to select a decryption profile for each rule to specify the action for traffic with issues, such as insecure protocol versions, SSL compression, unrecognized cipher suites, cipher algorithms to block, certificate errors, or connections that exceed the firewall's decryption capabilities. After decrypting and inspecting the traffic, XG Firewall re-encrypts the traffic with the re-signing certificate authority that you specify.

You can use SSL/TLS inspection rules in these cases:

  • Implement policy-driven decryption and meet compliance requirements.
  • Prevent malware transmission through encrypted traffic.
  • Apply web content policies to encrypted traffic to prevent unwanted uploads and downloads without obstructing general browsing.

Exclusions to SSL/TLS inspection rules

XG Firewall provides a default exclusion rule Exclusions by website or category that prevents connections to certain websites from being decrypted. The rule has action set to Don't decrypt and the decryption profile set to Maximum compatibility.

The rule is permanently positioned at the top of the SSL/TLS inspection rule table. SSL/TLS inspection rules are evaluated top down in the rule table.

The exclusion rule contains the following default exclusion lists:

  • Local TLS exclusion list: The list is empty by default. You can add websites to this list by troubleshooting in the Control center or Log viewer. To edit this list, go to Web > URL groups.

    Websites and browsers that use certificate pinning block the requested page fully or partially when SSL/TLS inspection is turned on. If an error message is shown, it may not show an identifiable reason. If you want to bypass SSL/TLS inspection, you can use the local TLS exclusion list to whitelist the domains.

  • Managed TLS exclusion list: The list contains websites known to be incompatible with SSL/TLS inspection and is updated through firmware updates.
Tip To add websites to the exclusion rule or remove them, edit the rule and add or remove the web categories or URL groups. Alternatively, go to Web > URL groups and edit the group Local TLS exclusion list.

You can exclude web categories, URL groups, users, source and destination IP addresses and networks by creating your own exclusion rules and placing them immediately below the default rule. Add only connections you don’t want to be decrypted by other SSL/TLS inspection rules to an exclusion rule.

SSL/TLS inspection rules are applied independently of firewall rules. Inspection rules continue to enforce the specified exclusions even if you don't select a web policy in firewall rules.

You can use both web exceptions and SSL/TLS exclusion rules to stop connections from being decrypted. For details of how they differ in enforcing HTTPS decryption-related exceptions, see the table below:

SSL/TLS exclusion list

Web exception

Processes you can exclude

HTTPS decryption

HTTPS certificate and protocol enforcement

HTTPS decryption

HTTPS certificate validation

Malware and content scanning

Sandstorm

Web policy checks

Applies in this mode

DPI mode

DPI mode

Proxy mode

Applies to this traffic

SSL/TLS connections on any port.

DPI mode: SSL/TLS connections on any port.

Proxy mode: SSL/TLS connections on port 443.

Matching criteria

URL group containing a list of websites (domain names) in plaintext. Includes the subdomains of these domains.

URL pattern matches using regular expressions.

Web categories

Source and destination zones, networks, and IP addresses

Services

Users and groups

Web categories

Source and destination IP addresses and IP ranges

Where to add the exception

Add domains and subdomains to the Local TLS exclusion list by troubleshooting in the Control center or Log viewer.

Go to Web > URL groups and add websites to a URL group being used by an exclusion rule.

Create or edit SSL/TLS inspection rules.

Add to Web > Exceptions.

SSL/TLS inspection settings

These settings apply to all SSL/TLS inspection rules. You can specify the re-signing certificate authorities (CAs), action for traffic we don’t decrypt, and the TLS downgrade setting. Inspection settings also allow you turn off SSL/TLS inspection to troubleshoot errors.

CAUTION We recommend that you turn it back on after troubleshooting.

The decryption profile that you add to an inspection rule overrides the inspection settings.

Firewall rules and web proxy

XG Firewall applies the firewall rules first and then the SSL/TLS inspection rules. It applies the inspection rules in transparent mode based on the web proxy selection you make in the firewall rule.

Transparent mode: In the firewall rule, if you’ve selected decryption and scanning by web proxy, traffic over ports 80 and 443 is decrypted by the web proxy. SSL/TLS inspection rules will then be implemented only for web traffic over other ports.

Explicit mode: Decryption and scanning is performed by the web proxy.
Note The web proxy uses the certificate specified in Web > General settings.

SSL/TLS inspection uses the certificates specified in SSL/TLS inspection settings and Decryption profiles.

Troubleshooting

To see if SSL/TLS connections have been exceeding the decryption limit, go to Control center and select the SSL/TLS connections widget.

To troubleshoot SSL/TLS errors, go to Control center, select the SSL/TLS connections widget, and select Fix errors in the upper-right corner.

If you don't see the connection and decryption details in the control center or the log viewer, make sure the following are turned on:
  • SSL/TLS inspection rules: Go to Rules and policies > SSL/TLS inspection rules and turn the SSL/TLS inspection switch on.
  • SSL/TLS engine: Go to Rules and policies > SSL/TLS inspection rules > SSL/TLS inspection settings. Under Advanced settings > SSL/TLS engine, select Enabled.

SSL/TLS inspection rules and the SSL/TLS engine

SSL/TLS inspection: You can turn SSL/TLS inspection rules on or off. For deployments migrating from SFOS 17.5, the inspection rules are turned off by default to prevent potential behavioral changes during the upgrade.

You must turn SSL/TLS inspection on to enable the new XStream SSL/TLS decryption functionality, including showing SSL/TLS connection statistics on the Control center.

When SSL/TLS inspection is set to On, XG Firewall works as follows:

  • Inspects all traffic and identifies SSL/TLS connections.
  • Applies SSL/TLS decryption rules and logs connections as required by the rules.
  • Updates SSL/TLS connection statistics and shows them on the Control center.

When SSL/TLS inspection is set to Off, XG Firewall works as follows:

  • Doesn't evaluate or apply SSL/TLS decryption rules.
  • DPI engine doesn't decrypt SSL/TLS connections. XG Firewall still decrypts connections handled by the web proxy based on the firewall rule settings.
  • Doesn't gather any SSL/TLS statistics. Won't update the statistics shown on the Control center any longer.
  • For traffic matching firewall rules that have a web policy specified, and are not configured to use the web proxy, the DPI engine still uses SSL/TLS inspection to enforce the policy on non-decrypted HTTPS connections.

SSL/TLS engine: You can enable or disable the SSL/TLS engine in SSL/TLS inspection settings. When you disable the engine, XG Firewall won't use the SSL/TLS inspection engine at all. Use this option only for troubleshooting purposes based on advice from Sophos Support. When the engine is disabled, XG Firewall does the following:

  • Won't evaluate or apply SSL/TLS decryption rules.
  • Decrypts only traffic handled by the web proxy as specified in the firewall rules.
  • Won't gather any SSL/TLS connection statistics. Won't update the statistics shown on the Control center any longer.
  • The DPI engine won't apply web policies to any HTTPS traffic. This applies to traffic matching firewall rules that have a web policy specified, and haven't specified web proxy filtering.