How configure SSL/TLS inspection settings for smartphone apps

Question

Hello there. I am using XG firewall home edition in my house. Some of the iOS apps are not available with SSL/TLS inspection enabled. When disabled, they can be used. 
 I checked LogViewer and in some cases it is Error and in other cases it is not Error. I am checking LogViewer and iOS apps one by one. If necessary, I add them to the Local TLS exclusion list. 
 But this is hard work. And I want to respect the children's privacy, so we would like to keep LogViewer checks to a minimum. 
 How do you configure SSL/TLS inspection settings for mobile devices? 
 
 Regards, 
 
 XG135 
 HomeEdition(SFOS 19.0.1 MR-1-Build365)

LHerzog · Accepted Answer

Android Smartphones will not work well with decrypting Proxy. 
 Even if you install the Proxy CA certificate on the phone, many system and 3rd party apps will not trust certificates in the user store. you cannot add CAs to the system store. 
 Apps like firefox allow you to install a custom certificate but many apps will not allow that or no not have an option for that. 
 You will need to disable decryption for smart phones to work correctly.

LHerzog · Answer

i'tll probably work if you set tls profile decryption to disabled and only scan for the SNI (visited URL). you'll not be able to scan for malware then but still can allow or deny categoies of websites. 
 if you need decryption to scan the whole traffic, you'd need to apply manual exceptions for all apps they use. if you decide they use firefox or an other browser for normal sufing, then you can install your XG cert into the browser and can decrypt the whole traffic of that app on your firewall. all other apps of course, will have issues unless you whitelist their traffic for do-not-decrypt.

Vivek Jagad · Answer

Hello Naoki_I , Thank you for reaching out to the community, I would agree with rfcat_vk suggestion. > Under the FW rules for LAN to WAN enable the option "Use web proxy instead of DPI engine" under the Security Features. Ensure a web policy is applied before enabling the option. > Install the SSL CA Certificate, you can find the guide here - https://support.sophos.com/support/s/article/KB-000035645?language=en_US > Also ensure the following option is also enabled "Scan HTTP and decrypted HTTPS" > Please find the FAQ for - HTTPS decrypt and scan here - https://support.sophos.com/support/s/article/KB-000038420?language=en_US

How configure SSL/TLS inspection settings for smartphone apps

Top Replies