SSL/TLS inspection

Hi All

I am facing a strange error whereby there are no logs in the SSL/TLS inspection even though it SSL inspection is enabled and sophos is MiM the tls traffic. SSL Traffic is sucesfully decrypted on the end client using a custom CA. Logging in enabled in the Decyrption rules but there is nothing is the log viewer

Thanks



Added TAGs
[edited by: emmosophos at 5:01 PM (GMT -8) on 26 Nov 2021]
  • According to your ssl/tls rule there isn't any traffic being passed through it.

    What does the firewall rule show for traffic passing through it?

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • All traffic goes from Internal network to Sophos  so I am using the LAN to LAN rule (Intenal hosts are using sophos via the pac file). The raffic is decrypted as part of the firewall rule as I can see my custom cert as well as decrypted traffic

  • Hi,

    that didn’t answer my question, what does the firewall rule show for traffic? Also I assume all traffic is routes via a switch which is possibly bypassing the XG interfaces!
    ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Not sure if that helps but Traffic from internal client is going to the proxy (port3128 ) and then proxy is initiating connection to port 80/443. I can't see any internal network treaffic (except sophos) reching out directlty to the websites on http/https

    Running the policy test for HTTPS traffic seems that traffic is intercepted but "proxy not in use"




    [edited by: wingman at 9:37 AM (GMT -8) on 26 Nov 2021]
  • Hi,

    when you look at a firewall rule in the list is shows the traffic passed through that rule, that is what I am after.

    Best if you provide a simple diagram of your network to help identify traffic flows.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • 10.1.0.84 ---- router/FW---- ISP modem---- Internet for all traffic except for port 443/80 that is going through the sophos appliance (settings below for the safari broswer)

    In the firewall settings,  traffic from 10.1.0.84 to external IPs on port 443/80 is blocked and there is a seperate rule to allow traffic from the sophos appliance to the internet on the said ports

    Traffic seems to be correctly inspected as I can see the full URI of the encrypted traffic

  • Hi,

    that is not an XG configuration screen, that looks more like a PC type screen.

    You have still not provided the information I asked for about the XG firewall rules.

    As well you are not using the proxy,, the proxy box is not ticked..

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Indeed the picture is from a broswer as mentioned on the post above. This is the only firewall rule enabled which corresponds to the firewall logs provided earlier

    I have also enabled the "web proxy" option instead of DPI and this is the result of the policy test

  • So, you don't have a switch between your PC and the XG? So how do the other devices that you are trying to communicate with connect the XG?

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Changed the default gateway on the DHCP server to be the sophos appliance and traffic is now decrypted. All web traffic is still going through the firewall rules as before




    [edited by: wingman at 3:36 PM (GMT -8) on 27 Nov 2021]