Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Can someone explain SSL/TLS inspection rules vs. Web Exceptions?

Explain like I'm 5 (maybe a 5 year old is smarter at this point, who knows)...

We have SSL/TLS inspection rules under "Rules and policies."  One of these rules is the built in "Exclusions by Website, which references both a Local and Managed TLS exclusion list.  Makes sense.

Then we have Exceptions under "Web," where we can also exempt URLs from HTTPs Decryption.

How do these two work together?  If I have a Web Exception for www.google.com, and www.google.com is also in the Local TLS exclusion list, is that essentially the same thing?

Thanks,

Casey



This thread was automatically locked due to age.
Parents
  • It's my impression that the Web->Exceptions is a high-level list for really global control that can override many different steps of the firewall processing in one place, using wildcard expressions. Mainly meant for global-ish sites like Apple, Microsoft, your corporate site, key utility/security software sites.

    The SSL/TLS inspection rules look for exact matches of host or domain, and only affect that aspect. So more specific to the TLS system itself (and you can turn off all TLS decryption entirely from that page.)

    You can also turn off or on TLS inspection per firewall rule, so I envision the control hierarchy as (in order): if the firewall rule says yes and the TLS Policy says yes (and TLS is turned on globally), and the Exceptions don't say No: do it. Otherwise, if any point along the way says "no", don't do it.

Reply
  • It's my impression that the Web->Exceptions is a high-level list for really global control that can override many different steps of the firewall processing in one place, using wildcard expressions. Mainly meant for global-ish sites like Apple, Microsoft, your corporate site, key utility/security software sites.

    The SSL/TLS inspection rules look for exact matches of host or domain, and only affect that aspect. So more specific to the TLS system itself (and you can turn off all TLS decryption entirely from that page.)

    You can also turn off or on TLS inspection per firewall rule, so I envision the control hierarchy as (in order): if the firewall rule says yes and the TLS Policy says yes (and TLS is turned on globally), and the Exceptions don't say No: do it. Otherwise, if any point along the way says "no", don't do it.

Children
  • Thats as reasonable as I have seen, but I find it odd that it isn't spelled out anywhere.  Even chat support didn't seem to really know.

  • Essentially one is the service, the other one is the entire Engine. 

    So: DPI Exceptions means, we are not "touching" the decryption. 

    Web Exception means, if the we touched the traffic and forwarded it to the Proxy, the proxy will not do "something" on it. 

    __________________________________________________________________________________________________________________

  • And it's just my impression for how it must work. I think it's not really an issue in the sense that each location makes sense for a specific use case.

    Firewall rules are the overall permission givers so you can specify which traffic has permissions and that traffic on that flow either is (with exceptions) or is not decrypted. Here's where you might decide that certain kinds of traffic -- say streaming video -- makes no sense to decrypt or is too much of a processing hog to be worth it. (And you also decide things like what QoS applies, which is related.)

    The TLS Profile Rules has the master switch which can turn TLS decryption globally, for debugging/testing. The rules themselves include things like the two TLS exception lists: one curated by Sophos and one by you. For things like particular organizations/sites that are extra-strict and don't allow MitM and hence break under TLS decryption, mainly.

    The Web Exception list gives you more flexibility in terms of names (wildcarding) and also gives you control over more steps in processing than just TLS. For more fundamental exceptioning of stuff like OS updates, etc.

    At least that's how I imagine it.

    Lucas says, below, that it has to do with the DPI engine (new-school) versus proxy (old-school) and I'd take his word over mine, which means my conception of the Web - Exception is flawed and if you're not using the proxy (sort of obsolete now) it doesn't matter. I use DPI engine only and that's one of the reasons to get an XGS appliance, I think.

  • Currently DPI (SSL/TLS) does not handle UDP traffic, where as the proxy does (sometimes).

    Ian

    XG115W - v20.0.3 MR-3 - Home

    XG on VM 8 - v21 GA

    If a post solves your question please use the 'Verify Answer' button.

  • I found this:

     Sophos Firewall v18: XStream - the new DPI Engine for web proxy explained 

    Which indicates that DPI (I'm using DPI) works with both Web Exception and SSL/TLS inspection rules.  Looks like it considers both?  Not sure what happens if they conflict.

    From the link:

    How to exclude a site from HTTPS decryption Go to Web > Exceptions and create and exception.
    Set URL pattern match to be website FQDN.  This is RegEx, see existing entries for proper syntax.
    Select skip HTTPS decryption.
    Create a web exception (as in web proxy mode)
    -OR-
    Go to URL Groups and edit the Local TLS exclusion list.
    Add the domain name.  This is plaintext not RegEx.
    Make sure the default SSL/TLS inspection rule "Exclusions by website" is enabled.
    -OR-
    Create an SSL/TLS inspection rule that is set to action "Do not decrypt".  Create your own URL group or custom category and use it in the rule.