https decrypt and scan not working on v18 GA

Hi,

 

I have an XG 106.  Just upgraded to latest SFOS 18.0.0.0 GA-Build321.  I am not getting any traffic decrypted/scanned and pages are coming up with their original certs instead of my Sophos.  

 

Here is the rule log as well as screenshot of the rule.   It's my default rule.

 

2020-02-22 19:45:05Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="33" fw_rule_id="5" nat_rule_id="5" policy_type="1" user="" user_group="" web_policy_id="12" ips_policy_id="0" appfilter_policy_id="0" app_name="DNS" app_risk="1" app_technology="Network Protocol" app_category="Infrastructure" vlan_id="0" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="Port1" out_interface="Port2" out_display_interface="Port2" src_mac="xxx" dst_mac="xxx" src_ip="xxx" src_country="R1" dst_ip="xxx" dst_country="AUS" protocol="UDP" src_port="61647" dst_port="53" packets_sent="1" packets_received="1" bytes_sent="63" bytes_received="115" src_trans_ip="xxx" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="xxx" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

 

 

 

Thanks

  • Do you have a SSLx Rule? 

  • Why are you expecting SSL/TLS scan of DNS traffic?

    Ian

  • In reply to rfcat_vk:

    Hey Ian -

     

    You are correct, I did not include a good example. Below is another (included dest ip).   

    2020-02-22 22:23:32Firewallmessageid="00001" log_type="Firewall" log_component="Firewall Rule" log_subtype="Allowed" status="Allow" con_duration="17" fw_rule_id="5" nat_rule_id="5" policy_type="1" user="" user_group="" web_policy_id="12" ips_policy_id="0" appfilter_policy_id="0" app_name="HTTP" app_risk="1" app_technology="Browser Based" app_category="General Internet" vlan_id="0" ether_type="Unknown (0x0000)" bridge_name="" bridge_display_name="" in_interface="Port1" in_display_interface="Port1" out_interface="Port2" out_display_interface="Port2" src_mac="xxx" dst_mac="xxx" src_ip="xxx" src_country="R1" dst_ip="204.128.250.203" dst_country="USA" protocol="TCP" src_port="64680" dst_port="80" packets_sent="6" packets_received="4" bytes_sent="560" bytes_received="950" src_trans_ip="xxx" src_trans_port="0" dst_trans_ip="" dst_trans_port="0" src_zone_type="LAN" src_zone="LAN" dst_zone_type="WAN" dst_zone="WAN" con_direction="" con_event="Stop" con_id="1275669632" virt_con_id="" hb_status="No Heartbeat" message="" appresolvedby="Signature" app_is_cloud="0"

  • In reply to LuCar Toni:

    This is the only rule - I believe this was a default created rule.

  • In reply to Gary21:

    Hi,

    That rule shows do not decrypt so it will not be scanned. You need to create your own rule of what you want scanned.

    ian

  • Hi, here You have an example:

    Remember to install properly CA certificate via MMC command in Windows.

  • In reply to darnoK:

    Ah, should have realized I need to create the decrypt rule there.  Thanks!

  • In reply to LuCar Toni:

    Thanks, that looks like exactly what I need.  I'll review to make sure I have updated rules based on the new methods.