Skip to content

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/index.html?contextId=rules-policies-SSL-TLS-exclude-website

Exclude a website from TLS inspection

You can exclude a website from TLS inspection so that it's not decrypted if Deep Packet Inspection (DPI) mode is turned on for web filtering.

There are various ways to achieve this, so we recommend considering the performance implications of each method.

Add a regular expression to a web exception

  1. Create a web exception. See Add an exception.

  2. Under URL pattern matches, add a regular expression (regex). Follow the same regex pattern used in the existing rules.

    Example

    ^([A-Za-z0-9.-]*\.)?microsoft\.com/

    The firewall performs a regex text match on the domain name using Server Name Indication (SNI). The caret ^ at the front is important for maximum efficiency and security.

    Web exceptions which include regex wildcards are processed more slowly. Additionally, if the regex isn't written correctly, the web exception may be significantly less efficient.

Add a URL group to the local TLS exclusion list

  1. Create a URL group. See Add a URL group.
  2. Add an SSL/TLS inspection rule with Action set to Don't decrypt, and add the URL group in Categories and websites.

The firewall uses SNI to perform a text-string match on the domain name.

This is the most efficient way to exclude destinations, as the firewall is optimized for SNI matching.

Add an IP host object to an SSL/TLS inspection rule

  1. Create an IP host object. See Add IP host.

  2. Add an SSL/TLS inspection rule with Action set to Don't decrypt, and add the IP host object to Destination networks. See Add an SSL/TLS inspection rule.

An IP host is a single static IP address. Adding static IP addresses for destination or source networks is approximately as efficient as using an exception.

Add a FQDN host object to an SSL/TLS inspection rule

  1. Create an FQDN host object. See Add an FQDN host.
  2. Add an SSL/TLS inspection rule with Action set to Don't decrypt, and add the FQDN host object to Destination networks. See Add an SSL/TLS inspection rule.

FQDN hosts require DNS lookups. See FQDN host. Adding FQDN hosts to Destination networks or Source networks is significantly less efficient than the other methods, because it requires multiple DNS lookups. For example, if you exclude 200 FQDNs, that results in 200 lookups for every new SSL/TLS connection.

Performance considerations

  • We recommend that you don't use FQDN hosts, as the other methods are more efficient.
  • Instead of using SSL/TLS inspection rules with an FQDN host in the destination networks, we recommend adding a URL group to the local TLS exclusion list instead.

  • Instead of using SSL/TLS inspection rules with an FQDN host in the source networks, we recommend using an IP host or adding a web exception.

    Note

    Source and destination exceptions can't be combined.

  • The exclusion list and web exception require that the website is defined by SNI. If it isn't, you can use an IP host or FQDN host.

  • If you're adding a web exception, your regex must use the same format as the regex in the existing rules. A poorly written regex can have poor performance.