Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

SSL/TLS inspection rules

With SSL/TLS inspection rules, you can intercept and decrypt SSL and TLS connections over TCP, allowing Sophos Firewall to enforce secure connections between clients and web servers.

SSL/TLS inspection enables the prevention of malware transmitted through encrypted connections.

You can enforce policy-driven connections and decryption for SSL/TLS traffic based on the traffic and risk level.

SSL/TLS inspection rules don't affect the decryption of traffic handled by the web proxy. You specify the method of web filtering (web proxy or the DPI engine) in firewall rules. By default, Sophos Firewall uses the DPI engine, applying SSL/TLS inspection rules to traffic matching the firewall rule criteria.

SSL/TLS inspection rules are turned on by default for fresh installations. For deployments migrating from SFOS 17.5 and earlier, they're turned off by default. You can turn them on or off manually.

Warning

If SSL/TLS inspection rules are turned off, Sophos Firewall doesn't apply them to the connections. The control center and log viewer don't show the SSL/TLS connection and decryption details.

Warning

Android devices are known to generate SSL/TLS certificate errors, causing decryption to fail. We recommend creating an SSL/TLS exclusion list for all Android devices.

Self-signed versus trusted CA certificates

Sophos Firewall maintains the trust level of a TLS server certificate when allowing a TLS connection. This prevents endpoints behind the firewall from trusting a server certificate that the firewall doesn't trust.

Self-signed certificates

Some servers use a self-signed certificate instead of a certificate signed by a CA. Self-signed certificates allow end-to-end encryption but don't guarantee the website's identity. For these connections, Sophos Firewall only replaces the key in the certificate with the key used to re-encrypt the decrypted and inspected content, and signs the certificate with this key. It doesn't re-sign these certificates as the CA, and clients (example: browsers) continue to see these as self-signed certificates.

Browsers then show a warning that the website's certificate wasn't issued by a trusted CA, allowing users to see that the original certificate's self-signed and must not be trusted.

See HTTPS decrypt and scan FAQs.

Certificates signed by a trusted CA

After decryption and inspection, Sophos Firewall signs these certificates as the CA, allowing users to determine that the original issuing authority is a trusted CA and that SSL/TLS inspection has taken place.

For connections that don't provide a trust chain tracing back to a CA trusted by the firewall, Sophos Firewall doesn't re-sign the certificate using local CAs. Certificates without a full trust chain are signed by a system-generated certificate whose CN contains an explanation of the problem.

Rule table actions

  • You can filter the rules by the source, destination, and rule ID.
  • To reset the rule filter, select Reset filter.

Click More options More options button. to specify the following actions:

  • To edit or delete a rule, select the action.
  • To clone or add a rule next to an existing rule, select the action.
  • To turn on or turn off a rule, select the switch.

To change the position of a rule, click and drag the Rule handle (Rule handle button.). Sophos Firewall evaluates rules from the top down until it finds a match. Once it finds a match for the packet, it doesn’t evaluate subsequent rules. Position the specific rules above the less specific rules.

SSL/TLS inspection rules

SSL/TLS inspection detects SSL/TLS traffic on any TCP port. Inspection rules apply to detected SSL/TLS connections. You can specify rules to decrypt traffic based on the source, destination, users and groups, services, websites, and web categories. For the rule to take effect, it must find a match in all the specified criteria.

You need to select a decryption profile for each rule to specify the action for traffic with issues, such as insecure protocol versions, SSL compression, unrecognized cipher suites, cipher algorithms to block, certificate errors, or connections that exceed the firewall's decryption capabilities. After decrypting and inspecting the traffic, Sophos Firewall re-encrypts the traffic with the re-signing certificate authority that you specify.

You can use SSL/TLS inspection rules in these cases:

  • Implement policy-driven decryption and meet compliance requirements.
  • Prevent malware transmission through encrypted traffic.
  • Apply web content policies to encrypted traffic to prevent unwanted uploads and downloads without obstructing general browsing.

Exclusions to SSL/TLS inspection rules

Sophos Firewall provides a default exclusion rule, Exclusions by website or category, that prevents connections to certain websites from being decrypted. The rule has action set to Don't decrypt and the decryption profile set to Maximum compatibility.

The rule is permanently positioned at the top of the SSL/TLS inspection rule table. SSL/TLS inspection rules are evaluated top down in the rule table.

The exclusion rule contains the following default exclusion lists:

  • Local TLS exclusion list: The list is empty by default. You can add websites to this list by troubleshooting in the Control center or Log viewer. To edit this list, go to Web > URL groups.

    Websites and browsers that use certificate pinning block the requested page fully or partially when SSL/TLS inspection is turned on. If an error message is shown, it may not show an identifiable reason. If you want to bypass SSL/TLS inspection, you can use the local TLS exclusion list to allow the domains.

  • Managed TLS exclusion list: The list contains websites known to be incompatible with SSL/TLS inspection and is updated through firmware updates.

Tip

To add websites to the exclusion rule or remove them, edit the rule and add or remove the web categories or URL groups. Alternatively, go to Web > URL groups and edit the group Local TLS exclusion list.

You can exclude web categories, URL groups, users, source and destination IP addresses, and networks by creating your own exclusion rules and placing them immediately below the default rule. Add only connections you don’t want to be decrypted by other SSL/TLS inspection rules to an exclusion rule.

SSL/TLS inspection rules are applied independently of firewall rules. Inspection rules continue to enforce the specified exclusions even if you don't select a web policy in firewall rules.

You can use both web exceptions and SSL/TLS exclusion rules to stop connections from being decrypted. For details of how they differ in enforcing HTTPS decryption-related exceptions, see the table below:

SSL/TLS exclusion list Web exception
Processes you can exclude HTTPS decryption

HTTPS certificate and protocol enforcement
HTTPS decryption

HTTPS certificate validation

Malware and content scanning

Zero-day protection

Web policy checks
Applies in this mode DPI mode DPI mode

Proxy mode
Applies to this traffic SSL/TLS connections on any port. DPI mode: SSL/TLS connections on any port.

Proxy mode: SSL/TLS connections on port 443.
Matching criteria URL group containing a list of websites (domain names) in plaintext. Includes the subdomains of these domains. URL pattern matches using regular expressions.
Matching criteria Web categories

Source and destination zones, networks, and IP addresses

Services

Users and groups
Web categories

Source and destination IP addresses and IP ranges
Where to add the exception Add domains and subdomains to the Local TLS exclusion list by troubleshooting in the control center or log viewer.

Go to Web > URL groups and add websites to a URL group being used by an exclusion rule.

Create or edit SSL/TLS inspection rules.
Add to Web > Exceptions.

SSL/TLS inspection settings

These settings apply to all SSL/TLS inspection rules. You can specify the re-signing certificate authorities (CAs), action for traffic we don’t decrypt, and the TLS downgrade setting. Inspection settings also allow you to turn off SSL/TLS inspection to troubleshoot errors.

Warning

We recommend that you turn it back on after troubleshooting.

The decryption profile that you add to an inspection rule overrides the inspection settings.

Firewall rules and web proxy

Sophos Firewall applies the firewall rules first and then the SSL/TLS inspection rules. It applies the inspection rules in transparent mode based on the web proxy selection you make in the firewall rule.

Transparent mode: In the firewall rule, if you’ve selected decryption and scanning by web proxy, traffic over ports 80 and 443 is decrypted by the web proxy. SSL/TLS inspection rules will then be implemented only for web traffic over other ports.

Explicit mode: Decryption and scanning is performed by the web proxy.

Note

The web proxy uses the certificate specified in Web > General settings.

SSL/TLS inspection uses the certificates specified in SSL/TLS inspection settings and Decryption profiles.

Troubleshooting

To see if SSL/TLS connections have been exceeding the decryption limit, go to Control center and select the SSL/TLS connections widget.

To troubleshoot SSL/TLS errors, go to Control center, select the SSL/TLS connections widget, and select Fix errors in the upper-right corner.

If you don't see the connection and decryption details in the control center or the log viewer, make sure the following are turned on:

  • SSL/TLS inspection rules: Go to Rules and policies > SSL/TLS inspection rules and turn SSL/TLS inspection on.
  • SSL/TLS engine: Go to Rules and policies > SSL/TLS inspection rules > SSL/TLS inspection settings. Under Advanced settings > SSL/TLS engine, select Enabled.

More resources