Web control - endpoint or firewall?

Just to say, you could always use Web Control on the endpoint, it's been there for years.  The new update I believe you are referring to supports HTTPS which should provide more insight beyond the domain name extracted from the SNI using the handshake as is the current verison.

I suspect the FW provides better insight/control as it's one of the primary features but you could enable one or two clients in the latest EAP to see the new HTTPS client in action and what additional data that provides.

well, whats the point of using web control and not being able to inspect https traffic? :-)

prefering Web Control on firewall would be my default choice but i'm wondering why would Sophos go to implement it on Endpoint side, if there is no benefits into it? There must be something i'm not seeing. Hope somebody with deeper knowledge will reply.

Thanks anyway!

You can get the domain name at the establishment of the connection from the SNI, so you can still look up the domain, to block it based on category for example or get a report of domains being accessed.  You just don't see the full URL or the content.

Not all customers have a firewall that can perform web control/protection centrally or maybe working from home with just cloud services, they are going direct.

It's just another option to enforce some level of control at the endpoint.

Two points:
1) not all our customers have dedicated firewall perimeter devices - so they need this protection at the endpoint level

2) you can distribute processing to the endpoints - If the endpoint determines the connect isn't safe it can truncate it before it ever gets to the firewall