SSL/TLS inspection

Hi All

I am facing a strange error whereby there are no logs in the SSL/TLS inspection even though it SSL inspection is enabled and sophos is MiM the tls traffic. SSL Traffic is sucesfully decrypted on the end client using a custom CA. Logging in enabled in the Decyrption rules but there is nothing is the log viewer

Thanks



Added TAGs
[edited by: emmosophos at 5:01 PM (GMT -8) on 26 Nov 2021]
Parents
  • The firewall rule that show - the "use web proxy instead of DPI engine" setting applies to port 80/443 traffic (eg transparent mode).  If you are using standard/direct mode on port 3128 then it will always use the proxy (even if the box is unchecked).  Click on the (i) icon in the firewall rule for more information, also see community.sophos.com/.../sophos-xg-firewall-v18-xstream---the-new-dpi-engine-for-web-proxy-explained


    If using the proxy, the checkbox "Decrypt HTTPS during web proxy filtering" takes effect.  There is nothing logged to the Log Viewer TLS log.

    If using DPI mode, the decryption is controlled by the SSL/TLS tab.  HTTPS traffic is logged to the Log Viewer TLS log.


    The policy tester will accurate show what is configured for transparent mode traffic.  There is no way to indicate on the tester that you are using direct mode, so it might not be as accurate.

Reply
  • The firewall rule that show - the "use web proxy instead of DPI engine" setting applies to port 80/443 traffic (eg transparent mode).  If you are using standard/direct mode on port 3128 then it will always use the proxy (even if the box is unchecked).  Click on the (i) icon in the firewall rule for more information, also see community.sophos.com/.../sophos-xg-firewall-v18-xstream---the-new-dpi-engine-for-web-proxy-explained


    If using the proxy, the checkbox "Decrypt HTTPS during web proxy filtering" takes effect.  There is nothing logged to the Log Viewer TLS log.

    If using DPI mode, the decryption is controlled by the SSL/TLS tab.  HTTPS traffic is logged to the Log Viewer TLS log.


    The policy tester will accurate show what is configured for transparent mode traffic.  There is no way to indicate on the tester that you are using direct mode, so it might not be as accurate.

Children
No Data