I'd like to use the web proxy to decrypt HTTP/S and enforce safe search, so I created a rule for specific LAN clients and HTTP / HTTPS services to apply the web policy and enable proxy with decryption. Sophos SSL CA is installed and trusted. Web > General Settings is using this cert.
At this point all HTTPS traffic (on MBP running Catalina) is blocked. macOS reports the site as insecure and stops access.
So I disable proxy and decrypt in the firewall rule and move over to SSL/TLS Inspection. Here I've added a rule for LAN to WAN (same client group as above), Any website / service, decrypt with maximum compatibility.
When I browse to any page, it works, and when I check the certificate, it shows as trusted with the Root CA being the Sophos SSL CA.
It seems that the Sophos SSL CA is not working as expected on the proxy section but does work correctly on the SSL/TLS Inspection page.
Is this a known issue?
EDIT: After going through the v18 intro / training, I've decided to update my rules. While it seems I should be able to do both proxy and DPI based on my rule configuration, I updated my web filter rules to exclude SafeSearch which pushes everything back to DPI. SSL/TLS Inspection is set to decrypt for the devices I can install certs on, and I'm using DNS to enforce SafeSearch.
I'm really liking v18.
