Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

SSL/TLS inspection

Hi All

I am facing a strange error whereby there are no logs in the SSL/TLS inspection even though it SSL inspection is enabled and sophos is MiM the tls traffic. SSL Traffic is sucesfully decrypted on the end client using a custom CA. Logging in enabled in the Decyrption rules but there is nothing is the log viewer

Thanks



This thread was automatically locked due to age.
Parents
  • According to your ssl/tls rule there isn't any traffic being passed through it.

    What does the firewall rule show for traffic passing through it?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • All traffic goes from Internal network to Sophos  so I am using the LAN to LAN rule (Intenal hosts are using sophos via the pac file). The raffic is decrypted as part of the firewall rule as I can see my custom cert as well as decrypted traffic

Reply
  • All traffic goes from Internal network to Sophos  so I am using the LAN to LAN rule (Intenal hosts are using sophos via the pac file). The raffic is decrypted as part of the firewall rule as I can see my custom cert as well as decrypted traffic

Children
  • Hi,

    that didn’t answer my question, what does the firewall rule show for traffic? Also I assume all traffic is routes via a switch which is possibly bypassing the XG interfaces!
    ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Not sure if that helps but Traffic from internal client is going to the proxy (port3128 ) and then proxy is initiating connection to port 80/443. I can't see any internal network treaffic (except sophos) reching out directlty to the websites on http/https

    Running the policy test for HTTPS traffic seems that traffic is intercepted but "proxy not in use"




    [edited by: wingman at 9:37 AM (GMT -8) on 26 Nov 2021]
  • Hi,

    when you look at a firewall rule in the list is shows the traffic passed through that rule, that is what I am after.

    Best if you provide a simple diagram of your network to help identify traffic flows.

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • 10.1.0.84 ---- router/FW---- ISP modem---- Internet for all traffic except for port 443/80 that is going through the sophos appliance (settings below for the safari broswer)

    In the firewall settings,  traffic from 10.1.0.84 to external IPs on port 443/80 is blocked and there is a seperate rule to allow traffic from the sophos appliance to the internet on the said ports

    Traffic seems to be correctly inspected as I can see the full URI of the encrypted traffic

  • Hi,

    that is not an XG configuration screen, that looks more like a PC type screen.

    You have still not provided the information I asked for about the XG firewall rules.

    As well you are not using the proxy,, the proxy box is not ticked..

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Indeed the picture is from a broswer as mentioned on the post above. This is the only firewall rule enabled which corresponds to the firewall logs provided earlier

    I have also enabled the "web proxy" option instead of DPI and this is the result of the policy test

  • So, you don't have a switch between your PC and the XG? So how do the other devices that you are trying to communicate with connect the XG?

    Ian

    XG115W - v20.0.2 MR-2 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • Changed the default gateway on the DHCP server to be the sophos appliance and traffic is now decrypted. All web traffic is still going through the firewall rules as before




    [edited by: wingman at 3:36 PM (GMT -8) on 27 Nov 2021]