Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Decryption profiles

Decryption profiles enable you to enforce decryption settings on SSL/TLS connections.

  • To clone a decryption profile, click Clone Clone button..
  • To edit a decryption profile, click Edit Edit button..

You can specify the re-signing certificate authorities to sign SSL/TLS server certificates after Sophos Firewall intercepts, decrypts, and inspects secure traffic. You can also specify the action for traffic that can't be decrypted due to issues such as insecure protocol versions, unrecognized cipher suites, SSL compression, or connections that exceed the firewall's decryption capabilities.

You can specify the action for certificate validation errors and insecure cipher algorithms. You can also enforce an RSA key size and SSL/TLS versions to use.

Tip

When you specify a setting in both the decyption profile and SSL/TLS inspection settings, the settings in the decryption profile override the settings in SSL/TLS inspection settings.

Note

You can't edit the default profiles.

The default profiles are as follows:

  • Maximum compatibility: Decrypts as many connections as possible. Doesn't restrict cipher usage.

  • Block insecure SSL: Prevents the use of weak ciphers. Allows non-decryptable traffic.

  • Strict compliance: Implements strict compliance. Use this to meet PCI DSS (Payment Card Industry Data Security Standard) specifications.

More resources