This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS Rules

Hello,

I'm testing the new features of V18 and there is one thing I don't understand.

If I uncheck all web securities on a firewall rule that matches for an IP host, the SSL decryption even decrypts and blocks traffic for unsecure SSL sites...

A I missing something?

Thanks.

This thread was automatically locked due to age.

Parents

0 LuCar Toni over 4 years ago

Because your SSLx Rule hits?
SSLx has no relation what so ever with Firewall Rule.

The Firewall Rule specify what to do with Decrypted traffic.

But everything else will be dealt with the DPI engine (SSLx).

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 LuCar Toni over 4 years ago

Because your SSLx Rule hits?
SSLx has no relation what so ever with Firewall Rule.

The Firewall Rule specify what to do with Decrypted traffic.

But everything else will be dealt with the DPI engine (SSLx).

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 VikenNajarian over 4 years ago in reply to LuCar Toni

Thank you for your answer, I understand the way it works now.

But there is a bug the way SSL/TLS Inspection rules work.

If you specify an IP host group in the "source networks and devices", AND this IP host group is empty, then, ALL the traffic from any sources (even if they should not match this rule) will hit this rule. And then, if I add a host in the IP host group, only this IP host will hit this rule, and all of the other sources won't hit this rule and will hit the rules below this one, and everything works fine.

The bug is only when the IP host group is empty as source.

Viken

XG Certified Architect

Sophos Gold Partner - Reseller from Lyon, France
Cancel
Vote Up 0 Vote Down

Cancel
+1 KingChris over 4 years ago in reply to VikenNajarian

This is being tracked under ID NC-56773.

Thanks!

KingChris
Community Support | Sophos Support
Sophos Support Videos | Knowledge Base | @SophosSupport | Sign up for SMS Alerts |
If a post solves your question use the 'This helped me' link
Cancel
Vote Up 0 Vote Down

Cancel
0 VikenNajarian over 4 years ago in reply to KingChris

Ok, so no need to open a ticket on my side ?

Viken

XG Certified Architect

Sophos Gold Partner - Reseller from Lyon, France
Cancel
Vote Up 0 Vote Down

Cancel
0 FloSupport over 4 years ago in reply to VikenNajarian

Hi VikenNajarian

No need for you to raise a case. Please stay tuned to this thread as we will provide updates when more information is available.

Florentino
Director, Global Community & Digital Support
Are you a Sophos Partner? | Product Documentation | @SophosSupport | Sign up for SMS Alerts
If a post solves your question, please use the 'Verify Answer' button.

The Award-winning Home of Sophos Support Videos! - Visit Sophos Techvids
Cancel
Vote Up 0 Vote Down

Cancel