Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

TLS Inspection Rules

Issue Summary: Slow Speed test SSL/TLS Inspection

Summary of Call Discussion:

  • Traffic for the test system (172.xxx.xx.8) was passing through rule ID #2.
  • We observed a speed of 36 Mbps with the SSL/TLS inspection rule enabled.
  • After disabling the rule, the speed increased to 216 Mbps.
  • It appears that a custom SSL/TLS rule was created for LAN to WAN traffic with the action set to "decrypt."
  • We changed the action to "don't decrypt," and now the speed has increased to 221 Mbps.
  • Note that, based on your custom policy, the firewall will still block insecure SSL connections and protect the LAN network.
  • The issue is resolved.

Below shows Don't decrypt on all rules as recommended by support:

It has been one day since the change was made and now control center shows: 

      

Am I missing an inspection rule?  It would seem that the XG115 is no longer inspecting any encrypted traffic.



Added Firmware tag from case
[edited by: Erick Jan at 4:35 AM (GMT -7) on 17 Oct 2024]
Parents
  • Hello Jason M,
    yes, you are right, there must be an SSL inspection rule with the action "decrypt". Otherwise, SSL is checked but not decrypted.

    According to the data sheet, a maximum of 130 MBit SSL decryption is possible with the XG115... under ideal conditions (possible, without other features)
    So the shown performance may be ok.

    Full disabling the decryption should not be the solution, because the antivirus can't scan the content anymore.


    Dirk

    Systema Gesellschaft für angewandte Datentechnik mbH  // Sophos Platinum Partner
    Sophos Solution Partner since 2003
    If a post solves your question, click the 'Verify Answer' link at this post.

  • dirkkotte,

    yes, you are right.

    Since my default LAN to WAN firewall rule includes ports 80, 443, & 8080(http-alternate used for speedtest.net).  I changed my "Catch all SSL rule" back to decrypt and for ports 80 & 443 only.  Now the speedtest looks good on 8080 with 500 Mbps down & 36 Mbps up.  I feel better knowing that http & https are being decrypted and scanned for malware. 

    I found the "Recommended Reads"  Sophos Firewall v18: XStream - the new DPI Engine for web proxy explained 

    Screenshot from that article:

Reply Children
No Data