SSL/TLS Inspection Rules: Decryption profile required when action is "Do not decrypt"?

Just noticed when I'm creating a SSL/TLS inspection rule where the 'Action' is set to 'Do not decrypt', I still have to select a 'Decryption profile'. What's the purpose of the decryption profile if the rule is not decrypting?


  • The DPI engine has the ability to enforce many TLS and Certificate checks even if it is not decrypting.

    For example, you could enforce that a connection must be TLS 1.2 or better, but also do not decrypt.

    This is an added feature of the DPI mode that is not available in the traditional web proxy, which can only enforce if it is decrypting.

  • Appreciate the explanation. While it makes sense that the DPI engine is still able to perform other functions, it just seems weird you need to specify a "decryption profile", if it's not actually decrypting.


    Sophos XG guides for home users:

  • Hi Shred,

    The question arises why are you using SSL/TLS (DPI) if you are not decrypting the packets through that rule?


    V18.0.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    3 AP55s and 2 APX120s having a holiday until software update is released.
    If a post solves your question use the 'This helped me' link.
  • I have a rule I use to temporarily bypass decrypting traffic. Regardless, the use case doesn't matter. There's an option to select the action "Do not decrypt" so I'm assuming this is an intentional/intended functionality of SSL/TLS Inspection Rules. Michael Dunn's post explains my original question. All I'm suggesting is how it's labeled isn't the most clear/logical. It's minor though so I'm not overly concerned.


    Sophos XG guides for home users: