[HTTPS Scan - Issue] Epic Launcher and Discord

Hello Sophos-XG Community,

my situation at home using a Sophos XG Home Lic. Firewall and happy about my choice. :D

Got the CA running with my Firewall and all seems well until I start using:

Epic Launcher and Discord

I could narrow it down to the HTTPS Scan when this feature is off all works very nicely... if its on the Epic Launcher will not authenticate and Discord (Desktop App) does not connect!

On the Log what I could find is that both use a embedded version of the Mozilla engine. (As much as I know Mozilla does not use build in Certificate Store from Windows)

Is there another way around that?

Would like to have the HTTPS Scan on at all times..

Firmware of the XG is SFOS 17.5.8 MR-8

Best regards

Eli.

  • Some websites/apps simply will not function with HTTPS decryption and scanning. I just create a web exception policy for these websites/apps. I created a page on the community wiki here with the website/apps I've discovered thus far that have issues with HTTPS decryption and scanning:

    https://community.sophos.com/products/xg-firewall/w/xg-wiki/43/urls-that-do-not-work-with-https-decryption

    I haven't used the Discord app but when I tried to use the Discord website, it would not work unless I bypassed HTTPS decryption and scanning.

  • Hi  

    I would recommend referring the articles for HTTPS scanning for Sophos XG firewall.

    https://community.sophos.com/kb/en-us/132997

    https://community.sophos.com/kb/en-us/123048

  • In reply to shred:

    Hello  

    thanks allot m8 that post just made my day.

    Got the Exceptions rolling with a new Exception-Group:

    - discord.gg

    - epicgames.com

    - unrealengine.com

    - glasswire.com

    That has to match my IP only so everyone else in the network these things will not work. ;) (It has to be allowed by the Admin [me] by design)

    The other part with the certificates it all works https traffic is being scanned by the appliance as it should be. Thumbs UP to all the KB-Posts from Sophos on how to create and deploy the Cert. required.

    Another part is that I created a webfilter [Expanded the Default Group] with stricter rules and a Firewall User Rule to bypass it if needed. Otherwise BLOCK everything I am not used to browse... :D

    In terms of Ports as much as I know and plz correct me if I am wrong.

    All inbound traffic is automatically blocked by the firewall. ( WAN to LAN )

    I know Sophos XG Home does not support Upnp and that is fine it means I need allot of homework on what ports are needed for outgoing connections this I can find out with glasswire very easly. 

    My goal in some point is just to rely on Windows Firewall for standard stuff and Sophos XG Home Firewall to make sure only that stuff communicates when needed...

    --------------------- For now this is resolved --------------- 

    Ill open a new thread about double NAT and IPv6 with a german appliance found very common in Homes and KMUs and SMBs (Spoiler -> Fritzbox with DS-Lite)

     

    Many Many thanks to all that helped me

    Sincerely 

    Eli.

     

  • In reply to Eli:

    No worries. While HTTPS decryption and scanning has its benefits, it can definitely be a pain at times. You'll find certain websites or apps simply won't work with HTTPS decryption, so it becomes a game of figuring out which domains you have to add to the exception by trial and error and some apps/websites will have multiple domains they access. Another thing I did was setup an exception to not decrypt certain categories such as Financial Services since I want to maintain the integrity of that connection between my client and server (i.e. I don't want a MIM, even Sophos, decrypting that traffic). There are a few apps I couldn't get to work until I made an exception for an entire category.

    As for your statement about all inbound traffic is automatically blocked, that's true. There's a firewall "Rule 0" that is hidden which is the implicit default drop rule. Just be aware there's other hidden firewall rules that are enabled/disabled depending on what you select. For example, enabling options on the Device Access page may open ports depending on which service you enable. For example, User Portal is enabled by default on the WAN zone which basically opens port 443 to the internet. I really wish the firewall rules page would show you all of the automatically generated firewall rules, just hidden by default and grouped together. That way you would have full transparency on how the firewall is configured.