Skip to content
The XG Series hardware appliances will reach end-of-life (EOL) on March 31, 2025. Click here to see the XG to XGS migration documentation.

Configure SSL/TLS inspection and decryption

You can configure SSL/TLS inspection and HTTPS decryption in DPI and web proxy modes.

After decrypting secure web content, Sophos Firewall encrypts the content again using certificates signed by this CA. To prevent untrusted certificate errors, you must install the signing CA on users' endpoints.

Do as follows:

  1. Check if you have the default SNAT rule to masquerade traffic.
  2. Configure a web policy.
  3. Configure a firewall rule for web filtering.
  4. Apply the inspection and decryption rules and settings.
  5. Download the signing CA.
  6. Install it on users' endpoints.

Check the SNAT rule

  1. Go to Rules and policies > NAT rules.
  2. Check the rule list for Default SNAT IPv4.

    This is a default SNAT rule to masquerade outgoing IPv4 traffic.

  3. If you don't have the rule or want to create a rule for IPv6 traffic, do as follows:

    1. Click IPv4 or IPv6 above the NAT rule list.
    2. Click Add NAT rule and click New NAT rule.
    3. Enter a name.
    4. Set Translated source (SNAT) to MASQ.
    5. Click Save.

Add a web policy

This example shows how to add a web policy rule using web categories:

  1. Go to Web > Policies and click Add.
  2. Enter a name.
  3. Click Add rule.
  4. Under Users, click the drop-down list, clear Anybody, and click Add new item.
  5. Select the users and groups you want and click Apply selected items.
  6. Under Activities, click the drop-down list, clear All web traffic, and click Add new item.
  7. Select Web category in the activity list, select the category you want and click Apply selected items.
  8. Under Action, select Allow HTTP.
  9. Click the drop-down list next to the HTTP actions and select Allow HTTPS.
  10. Under Constraints, select a time to apply the rule.
  11. Turn Status on.
  12. Click Save.

Configure a firewall rule

You must configure the web filtering settings in a firewall rule.

  1. Go to Rules and policies > Firewall rules.
  2. Click Add firewall rule and then New firewall rule.
  3. Enter a name.
  4. Make sure Action is set to Accept.
  5. Set the Source zones to LAN and Wi-Fi.
  6. For Source networks and devices, select the local subnets you want.
  7. Set the Destination zones to WAN.
  8. Set Destination networks to Any.
  9. Make sure Services is set to Any.
  10. Under Security features, click Web filtering.
  11. Select the Web policy you created from the drop-down list.
  12. Under Malware and content scanning, select Scan HTTP and decrypted HTTPS.
  13. Under Filtering common web ports, make sure the checkbox for Use web proxy instead of DPI engine isn't selected.

    Here's an example:

    Web filtering settings in firewall rule for DPI mode.

  14. Click Save.

  1. Go to Rules and policies > Firewall rules.
  2. Click Add firewall rule and then New firewall rule.
  3. Enter a name.
  4. Change the Action if you want.
  5. Set the Source zones to LAN and Wi-Fi.
  6. For Source networks and devices, select the local subnets you want.
  7. Set the Destination zones to WAN.
  8. Set Destination networks to Any.
  9. Set Services to Any.

    If you want to select specific services, choose the options based on your network configuration:

    • Transparent proxy: HTTP and HTTPS.
    • Direct proxy: HTTP, HTTPS, and the Web proxy listening port you configured under Web > General settings > Web proxy configuration.
  10. Under Security features, click Web filtering.

  11. Select the Web policy you created from the drop-down list.
  12. Under Malware and content scanning, select Scan HTTP and decrypted HTTPS.
  13. Under Filtering common web ports, select Use web proxy instead of DPI engine.
  14. Select Decrypt HTTPS during web proxy filtering.

    Here's an example:

    Web filtering settings in firewall rule for web proxy.

  15. Click Save.

Apply HTTPS decryption

After inspecting and decrypting secure web content, Sophos Firewall encrypts the content again using certificates signed by the CA you configure. This example shows how to apply the built-in signing CA. To use custom CAs, see Add subordinate and root CAs for TLS traffic.

In DPI mode, you configure SSL/TLS inspection rules.

  1. Go to Rules and policies > SSL/TLS inspection and click Add.
  2. Enter a rule name.
  3. Set Action to Decrypt.
  4. Set Decryption profile to Block insecure SSL.

    You can see its settings in Profiles > Decryption profiles.

    Action and decryption profile in SSL/TLS inspection rules.

  5. Set the Source zones to LAN and Wi-Fi.

  6. For Source networks and devices, select the local subnets you want.
  7. Set the Destination zones to WAN.
  8. Set Destination networks to Any.
  9. Set Services to Any.
  10. Click Save.
  1. Go to Web > General settings.
  2. Scroll down to HTTPS decryption and scanning.
  3. Under HTTPS scanning certificate authority (CA), select a CA to secure scanned HTTPS connections.

    You can select the built-in or internal certificate available on Sophos Firewall or use an external CA.

  4. Select Block unrecognized SSL protocols.

  5. Make sure Block invalid certificates is selected.
  6. Click Apply.

    Here's an example:

    HTTPS decryption and scanning settings for web proxy.

  7. Under Web proxy configuration, make sure TLS 1.1 is selected.

  8. Click Apply.

    Setting minimum TLS configuration.

Download the signing CA

  1. Go to Profiles > Decryption profiles.
  2. Click the edit button for the profile Block insecure SSL you selected in the inspection rule.
  3. Under Re-signing certificate authority, click the download button next to the setting for Re-sign RSA with and save the signing CA.
  4. Optional: Click the download button next to the setting for Re-sign EC with and save the signing CA based on your configuration.

    Download the re-signing CA.

  5. Click Cancel to exit.

You must do as follows for transparent and direct proxy modes:

  1. Go to Web > General settings.
  2. Scroll down to HTTPS decryption and scanning.
  3. Under HTTPS scanning certificate authority (CA), click the download button next to the CA you selected.

    Download HTTPS signing CA for web proxy.

To prevent untrusted certificate error messages, you must install this CA on your users' endpoints. See Add a CA manually to endpoints.

For direct proxy mode, you must allow the web proxy service for your users' zones. Do as follows:

  1. Go to Administration > Device access.
  2. Under Other services > Web proxy, select LAN and Wi-Fi.
  3. Click Apply.

To install the CA on users' endpoints, see Add a CA manually to endpoints.