SSL Inspection - Logs

Hi all,

We're looking at enabling SSL Inspection on the Endpoints with XDR Advanced.

However, this always has the potenial to block applications or websites from working. Is there a log on Sophos Central I can used to find where SSL Decryption may have blocked something specifically? Not just the general Web Block logs?

  • Hi David,

    The main log here is the SophosNetFilter.log under: "C:\ProgramData\Sophos\Sophos Network Threat Protection\Logs\".

    You can increase the logging for the component in ESH:

    This will create: LogLevel 0 DWORD under: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Logging\NTP\SophosNetFilter.exe to enable DebugLevel, so you don't have to use ESH but it's probably easier with physical access but you could do it from a cmd line with this info if needed.

    You can always add exceptions and categories that shouldn't be inspected if needed in policy. 

    https://cloud.sophos.com/manage/config/settings/ssl-tls-decryption

    At the client to check, under:

    HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\20250102171622312090\web_protection

    Where: 20250102171622312090 is the latest policy (timestamp) as pointed to by the latest REG_SZ value under the parent key: HKEY_LOCAL_MACHINE\SOFTWARE\Sophos\Management\Policy\ThreatProtection\

    https_decrypt_enabled will show if decryption is enabled.

    https_decrypt_excluded_categories will have the cat ids that aren't decrypted .

    https_decrypt_excluded_sites will list the specific sites you may define.