On the Web Protection > Web Filtering > HTTPS tab you can configure how Web Filtering handles HTTPS traffic.

  • URL filtering only: Select this option to filter based on domain name for categorization, tags, and if the site is listed in a whitelist or blacklist.
  • Decrypt and scan: Select this option to perform URL Filtering and also perform HTTPS decryption for full scanning.
  • Decrypt and scan the following: Select this option to perform URL Filtering, and to decrypt and scan selected categories or tagged sites.

    • Scan These Tagged Websites: Use this box to select which tagged sites will be decrypted and scanned. Select the folder icon to choose existing tags, or click the plus icon to add a new tag. To add an existing tag, select and drag it to the Scan These Tagged Websites list box.
    • Scan These Categorized Websites: Use this list box to choose which website categories will be decrypted and scanned. Click the trash icon next to a category to remove it from the list. Select the folder icon to list available categories. To add a category, select and drag it to the Scan These Categorized Websites list box.
  • Do not proxy HTTPS traffic in transparent mode: Select this option to disable Web Filtering for all HTTPS traffic. Use this option only for transparent mode. When selected, the Web Filter will not proxy any HTTPS traffic. You must also create a firewall rule to allow HTTPS traffic through Sophos UTM.

Note – If clients and servers support TLS 1.2 and TLS 1.3 and HTTPS decryption is required, UTM uses TLS 1.2 to decrypt traffic. If the client or server doesn't support TLS 1.2, the connection fails. Create HTTPS scanning exceptions on Web Protection > Filtering Options > Exceptions to exclude traffic that can only support TLS 1.3 from decryption.