Sophos Central Endpoint and SEC: Computers fail/hang on boot after the Microsoft Windows April 9, 2019 update. Please follow knowledge base article 133945
Learn about the Benefits of Multi-Factor Authentication (MFA). Turn your MFA on now!
We'd love to hear about it! Click here to go to the product suggestion community
On our XG125 we have a default LAN to WAN rule, any Host and any Service with only HTTP scanning, this rule is set at the bottom.
For some testing I want to have a network rule for one PC, this rule is set at the top and has a webfilter + application filter applied to it, So the rule is as follows:
Source: LAN, Device: TEST-PC (added as MAC-host)Destination: WAN, Service: ANYWeb Malware and Content Scanning: Scan HTTP, Decrypt and Scan HTTPS, Block Google QUICCustom webfilter applied and custom appliction filter applied, webfilter and app filter is set to anyoneInstalled the Sophos CA cert on the client and the client could indeed not access websites that I set in the web filter.
However, other clients on the network received a cert error on websites with HTTPS because it tries to decrypt and scan, but the sophos cert is not installed on other pc's.
From my understanding rules are read from top to bottom, so why is the rule not skipped by other clients besides TEST-PC? It seems that it skips the webfilter because other clients can browse the blocked sites set for TEST-PC just fine, but HTTPS decrypt is not skipped?
Please provide log viewer entries showing the traffic through your top rule.
In reply to rfcat_vk:
Thank you for your reply.
Rule 1 is the LAN-WAN rule any-any and Rule 5 is the special rule for the user.
In reply to TonV:
both rules are using the proxy.
Please post expand versions of both rules as in screenshots.
Sorry, do you mean the Open PCAP log?
no the actual firewall rules.
Those are the rules, I noticed that even if I remove the https decrypt is still uses the sophos ssl as CA.
BTW: maybe related I turned on micro app discovery.
Yep, it was the micro app discovery, if enabled it seems to be system wide, not only for the rule with HTTPS decrypt, which would better fit my needs to be honest.
via Console type in system application_classification microapp-discovery off
by default this is turned off.