Skip to content

Add an SSL/TLS inspection rule

You can specify policy-driven inspection rules to establish inbound and outbound SSL and TLS connections over TCP between clients and web servers and decrypt the traffic.

SSL/TLS inspection detects SSL/TLS traffic on any TCP port. Inspection rules apply to detected SSL/TLS connections. You can specify rules to decrypt traffic based on the source, destination, users and groups, services, websites, and web categories. For the rule to take effect, it must find a match in all of the specified criteria.

You can also add decryption profiles to enforce secure connections.

  1. Go to Rules and policies > SSL/TLS inspection rules and click Add.
  2. Enter the general details.

    Name Description
    Rule name Type a name.
    Rule position Specify the position of the rule in the rule table:
    • Top
    • Bottom
    Sophos Firewall evaluates rules in the listed order until it finds a match and doesn’t evaluate subsequent rules. To change the order of the rules later, you can drag and drop the rule in the rule table.
    Action Select the action:
    • Decrypt: Establishes connection and decrypts.
    • Don't decrypt: Establishes the connection and doesn’t decrypt. Use this to create an exclusion rule.
      Decryption profile restrictions also apply to rules with action set to Don't decrypt.
    • Deny: Doesn’t establish connection.

    For TLS 1.3 connections, you need to set the action to Decrypt in SSL/TLS inspection rules to do the following:
    • Apply the TLS compatibility setting Downgrade to TLS 1.2 and decrypt specified in SSL/TLS general settings.
    • Block certificate errors and apply the minimum RSA key size specified in decryption profiles.
    • Apply the block action Reject and notify specified in the decryption profile. If you apply such a decryption profile to SSL/TLS inspection rules with Don't decrypt or Deny action, Sophos Firewall applies the block action Reject.
    Log connections Select to log the connections.
    Decryption profile Select a decryption profile or create one. You can't edit the default profiles.

    Decryption profiles override the default SSL/TLS general settings for the re-signing CA and action for traffic we can't decrypt. They allow you to specify a policy-driven action for the rule.


    Sophos Firewall rejects connections using SSL 2.0 and 3.0, SSL compression, and unrecognized cipher suites if you set the action to Decrypt in SSL/TLS inspection rules.

    To allow these connections, create a decryption profile set to Allow without decryption. Add the profile to an SSL/TLS inspection rule with the action set to Don't decrypt.

  3. Select the source matching criteria.

    Name Description
    Source zones Select the zones from which traffic originates.

    You can select only internal zones, since SSL/TLS inspection rules apply only to outbound traffic.
    Source networks and devices Select the source networks and devices or create new ones.
    Users or groups Select the source users and groups. The rule will then apply only to traffic originating from the specified users.
  4. Select the destination and service matching criteria.

    Name Description
    Destination zones Select the destination zones of traffic.
    Destination networks Select the destination networks or create new ones.
    Services Select the services or create a new service. A service is a combination of protocols and ports.

    SSL/TLS connections aren’t enforced over UDP.
  5. Specify the settings for websites and web categories.

    Name Description
    Categories and websites Select the web categories and websites.

    To add an individual website, go to Web > URL groups or Categories and add the website to an existing or new object. You can then select the object in the SSL/TLS inspection rule. Sophos Firewall identifies web categories and websites based on the SNI (Server Name Indication) in the SSL/TLS handshake.


    Sophos Firewall enforces SSL/TLS inspection rules and the URL groups you specify if you have a Base License. You can configure web categories, but can't enforce them without a Web Protection license.

  6. Click Save.

More resources