Parents
  • Hi foks

    more experimentation. I disabled the default SSL/TLS inspection rule and created my own with decrypt enabled.

    What logviewer shows is the exception list is still active even though the description of the list says for the default SSL/TLS rule. So how do you disable the default exception list? Also somewhere there is hidden an SSL/TLS rule 0 which is used for Sophos software updates to at least APX120 connected to CM.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Do you mean the Exception List within Web and not the local TLS List? Because the exception List will be used all the time. 

    __________________________________________________________________________________________________________________

  • That is exactly what I am talking about, you can disable web exceptions but not SSL/TLS exceptions.Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • You can turn It off if you want to.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Sorry,,if you want to experiment without having the default exception list get in the road, you cannot turn it off. Turn it off disables SSL/TLS as well as the exception list.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • You can turn off the default exclusion list since v18 EAP, even the managed local TLS exclusion list can be disabled.

    The only exclusion list you can't turn off is the hidden rule #0 for system exclusions. (Sophos domains.)

    DPI Engine will still work fine.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • Hi Prism,

    there is nowhere to disable the default ssl/tls exception list even if you do not select in your rule. Whereas in the web exception list you can disable an exception list.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • You're looking at the wrong place.

    The picture you just sent are just the URL Groups that are use on the TLS exception, not the exceptions itself.

    Look again on the picture I've sent above.


    If a post solves your question use the 'Verify Answer' button.

    Ryzen 5600U + I226-V (KVM) v20 GA @ Home

    XG 115w Rev.3 8GB RAM v19.5 MR3 @ Travel Firewall

  • all that does is disable the rule not the exception list. If you review the web exception lists there are disable buttons, but the TLS list does not have the same feature.

    Ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Sorry Ian, i am still confused, what you mean. The URL Lists, you linked are used as "Websites" in TLS/SSL DPI. You cannot remove the Local URL List. But remove all others. You can create your own List and rules. 

    What exactly do you want to disable and why? 

    __________________________________________________________________________________________________________________

  • I was trying to test my own ssl/tls rule to see if I could replace the web proxy in some of my rules but failed because of the default list.

    ian

    XG115W - v20 GA - Home

    XG on VM 8 - v20 GA

    If a post solves your question please use the 'Verify Answer' button.

  • We are overkilling this thread. Please create a new thread to discuss this issue. 

    __________________________________________________________________________________________________________________

Reply Children
No Data