I am looking for some advise around the best practise for Web Filtering for a BYOD network.
We have a seperate network setup on our XG for residents who connect their own devices which are mainly mobile devices. We have a firewall rule crated to allow this dedicated zone out on the internet and in this rule I want to setup Web Filtering. I have created a Web Policy which includes a large amount of categories to block but I am unsure which of the other settings under this feature to enable or disable. These settings are shown as:
Web Policy: Apply web category-based traffic shaping (currently disabled) Block QUC propocol (currently enalbed)
Malware and contect scanning Scan HTTP and decrypt HTTPS (currently disabled) Use zero-day protection (currently disabled) Scan FTP for malware (currently enabled)
Filtering common web ports Use web proxy instead of DPI engine (currently enabled)
Web Proxy Options Decrypt HTTPS during web proxy filtering (currently disabled)
I have SSL / TLS Inspection enabled but I read somewhere about a certificate being needed to allow this to work correctly.
On the same XG we do have a corporate network which is setup against a different firewall rule and I plan to setup SSL and TLS inpection against this.
With the testing I have done on the residents network I have found internet browsing to be slow which may be down to the amount of categories I have selected. As this is a residents network I need to make sure a solid level of proteciton is in place and I would like secure sites to be scanned as most sites have a certificate in place.
Any guidance would be greatly apprecaited.
Many thanks, Dan
Daniel Hargrove said:I have SSL / TLS Inspection enabled but I read somewhere about a certificate being needed to allow this to work correctly.
You cannot do TLS Inspection with a BYOD network since…
You cannot do TLS Inspection with a BYOD network since It's necessary to have the certificate authority installed on each device. (But the DPI engine is still capable of doing web filtering with just the certificate information.)
Over the current settings, I recommend you to change:
Daniel Hargrove said:Scan HTTP and decrypt HTTPS (currently disabled) Use zero-day protection (currently disabled)
Enable both of those options, even If It can't scan HTTPS traffic - plain-text HTTP traffic will still be scanned. (For the Zero-Day protection, be sure you have a valid license before enabling It, a warning should appear if you don't have It.)
Daniel Hargrove said:Filtering common web ports Use web proxy instead of DPI engine (currently enabled)
Disable this option to use the DPI engine, currently the DPI engine is better (secure) and faster than the old web proxy. (This could be the reason on why internet browsing is slow.)
At last, depending on the scenario It's recommended to enable QoS for the BYOD Network.
If a post solves your question use the 'Verify Answer' link.
XG 115w Rev.3 v19 GA @ Home.
Many thanks for your detailed response. I will look to test with the recommendations you outined above.
I assume with the inability to scan and decrypt HTTPS that the SafeSearch functionality will not work without this. Is this correct?
Hi, just another thought - If I enable Scan HTTP and decrypt HTTPS on the BYOD network will this cause errors if the Sophos Cert is not installed?
Not sure about all the details, but if it is attempting to decrypt TLS -- which will cause errors for users when their browsers see the firewall's certificates -- you can always turn that part off by setting up a TLS rule to not decrypt traffic on the BYOD zone.
Daniel Hargrove said: If I enable Scan HTTP and decrypt HTTPS on the BYOD network will this cause errors if the Sophos Cert is not installed?
No, the DPI engine is only capable of scanning plain-text HTTP traffic without TLS Decryption. (It won't give errors for the user if It's HTTP.)
The user will only get a certificate error if the website they accessed over HTTPS is being blocked though a web policy. (They will get a certificate error at first because the Firewall will try to redirect the user to a warning page, and in order to do this It needs to MITM (decrypt) the HTTPS connection.)
Daniel Hargrove said:I assume with the inability to scan and decrypt HTTPS that the SafeSearch functionality will not work without this. Is this correct?
The SafeSearch function is currently only available through the Web Proxy, but you can create a separate Firewall Rule just for this function.
(You can do this by creating another Firewall Rule on top of the current one with the "SafeSearch" FQDN's Group at the "Destination Networks", then enable the Web Proxy for the same Rule and use a Web Policy that have the "Enforce SafeSearch" function enabled.)
There are three things (at least in V19) that work together to cause TLS decryption, correct? One would be the checkbox in the Firewall Rule (Scan HTTP and decrypt HTTPS). This does not, by itself cause TLS decryption. Then there is the SSL/TLS Inspection Rules tab, which (in v19) has a master on/off switch. Then there are the rules themselves.
I think if no SSL/TLS Decryption rule applies, it falls off the end and does no decryption. So given that the OP didn't create an broad "decrypt it" rule in SSL/TLS Inspection Rules, it will drop off the end and so won't decrypt even though they check the box in the Firewall rule.
So there should be a hover-over "I" on the Firewall Rule checkbox next to "decrypt HTTPS" that says, "If an SSL/TLS Decryption rule would cause encryption". Is that right?
If you don't use the Web Proxy, then you're only able to trigger a TLS Decryption with a custom policy over the SSL/TLS Inspections Tab.
Wayne Folta said:I think if no rule applies, it falls off the end and does no decryption.
Wayne Folta said:So there should be a hover-over "I" on the Firewall Rule checkbox next to "decrypt HTTPS" that says, "If an SSL/TLS Decryption rule would cause encryption". Is that right?
The "Scan HTTP and Decrypted HTTPS" naming sounds weird to be honest, since the DPI can send web traffic to be scanned from all ports then shouldn't this be called "Scan Web(HTTP)-based Traffic" or something as that?
The same applies on the "Filtering common web ports", the naming sounds as I need to enable It (Web Proxy) in order to get web filtering.
Actually not entirely correct. You can use the DNS Workaround provided by Google. https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/116641/safesearch---enforcement-when-using-the-dpi-engine
This should be possible with BYOD as well.
The DNS workaround doesn't work if the user uses DNS over HTTPS/TLS.