XG v18 EAP2 PRX / DPI FLAG not alight on the Firewall rules page??

Can anyone help me out with my v18 EAP2 DPI HTTP & HTTPS decrypt and scan as ive followed the guide that has the table with the Web proxy & DPI engine setups on but ive got the HTTPS decryption running as its registering on the Control Centre but Ive not been able to get the PRX Flag on the Firewall rules to light up which it should be doing if its using the DPI engine and not the web proxy but ive not been able to get that Flag to light back up since i noticed it the other day but since lost it??

Also with the DPI web engine on should I still be using an SSL/TLS rule or should the DPI engine work with only the default 2 that are originally there?  Ive had to setup a rule with the same source and targets as the Firewall rule im using for the CC to show decrypt & scanning running?  With those SSL rules setup will HTTPS traffic still be rencrypted the client side of XG once DPI has done its scanning?

I realise this is all still rather new but ive been trying to make use of the available documentation for EAP2 but im still not sure ive got my DPI engine setup right becuase im not seeing that PRX flag?

Thanks in advance!

  • I was a little confused about this as well, but the PRX will be highlighted when you are using the web proxy. When you’re using the DPI engine, it will not be highlighted and the text next to it says “Use DPI engine”. Again, I think it’s a bit confusing as well as it doesn’t follow the logic of the other icons. It would really be more clear if there was a separate one labeled DPI and when the web proxy is not used, it says “Disabled” or “—“ next to PRX (same logic the other icons use).

    ---

    Sophos XG guides for home users: https://shred086.wordpress.com/

  • OK thanks for clearing that up for me but yeah It would be nice to have a seperate DPI flag then.

    With the DPI engine i should be using an additional SSL / TLS inspection rule then yes?  Is that needed then for the DPI HTTPS Decrypt and scan then??  Thats also confusing as some articles are saying that to start without one of those then the EAP2 stuff does now mention an SSL / TLS rule but is that required for that to work then for DPI and not needed if your using the old Web proxy method?? is that right?

    Sorry ive got to add to this again, are Firewall rue Exclusions needed? is that a must or can be either with or without?

    Thanks again,

    JK