Sophos UTM: Decommissioning of obsolete URL categorization services CFFS. Click here for important info.

Issues with blocking on https decryption

I have enabled https decryption and enrolled in EAP in order to test blocking of subfolders.

As an organisation we have blocked due to the high number of phishing pages served on there, however there are a few sites we want to explicitly enable. Up to now this has not been possible.

I have found that if we have an allow rule for or whatever, and a block role for, without the EAP the whole site is blocked.

When we enable https decryption I find that it works as expected but there are some times when all of sites is allowed, instead of just the subfolder of the site.

After a bit of puzzling around this I managed to replicate when this happens,

open the browser,

visit the and it will be blocked, visit the subfolder and it will be allowed (the site certificate is signed by the root sophos cert)

Visit (which is excluded as webmail) - the cert is a google one

go back to - the google cert is used and the site is allowed.

I think this is a choice of cert issue 

I feel that if there is a site block in place it should be honoured whether decryption is enabled or not, I would prefer the site to be blocked and have to advise users to open up an incognito window to get to the subsite. 

Ideally he cert issue could be fixed, but a good stop gap would be to ensure unencrypted websites work the same as they did before, whereby a block takes precedence.