[FEEDBACK] SSL Decryption

Hello Sophos Community,

Firmware ver. 18 is coming.

Ill open up this topic because I would like to lean/find-out what a best practice is to setup SSL Inspection Rules with X-Stream DPI Engine.

Right now the test viruses over https get blocked at the firewall without triggering my Anit-Virus. (Nice)

All other Application Run atm:

- Epic-Launcher
- Discord
- Steam
- Netflix (Browser-Edge[Chromium])
Excluded over Live-Log
- SteamChat
- SteamDownloads (akamai)
- Netflix Video Delivery (nflxvideo)

Best regards
Eli.

Parents

0 LuCar Toni over 4 years ago

Your Rule 4 should not get any traffic, because Rule 3 will pick up everything.

You need to edit the HTTPs Profile to block unwanted SSL Stuff.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 Eli over 4 years ago in reply to LuCar Toni

Hello LuCar Toni

that is true Rule 4 does nothing.

Should I switch the rule priority? Example Rule 4 with Rule 3?

My goal is that it can decrypt ssl traffic and sort out bad/old standards and block those. Plus the added ability that the AV-Engine detects Viruses that are inside the SSL Tunnel. ;)

Best regards

Eli.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel
0 LuCar Toni over 4 years ago in reply to Eli

SSLx follows the first match process in finding a Rule.

The matching criteria are all those fields in the rule.

For example:

Rule 3 One Client

Rule 4 The Client Network

Rule 3 will hit for traffic coming from your Client.

Rule 4 will hit for every traffic coming from your client network, but not for the Client, because this traffic is already matching with Rule 3.

In the Decryption Profile, you can block all unwanted stuff, if needed.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel

Reply

0 LuCar Toni over 4 years ago in reply to Eli

SSLx follows the first match process in finding a Rule.

The matching criteria are all those fields in the rule.

For example:

Rule 3 One Client

Rule 4 The Client Network

Rule 3 will hit for traffic coming from your Client.

Rule 4 will hit for every traffic coming from your client network, but not for the Client, because this traffic is already matching with Rule 3.

In the Decryption Profile, you can block all unwanted stuff, if needed.

__________________________________________________________________________________________________________________
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Reject Answer

Cancel

Children

0 Eli over 4 years ago in reply to LuCar Toni

Hi LuCar Toni

what I did now is switched position of Rule 4 with Rule 3 and now the DPI engine takes consideration of Rule 1 and have better performance since it does not decrypt everything.

So what I do now is delete Rule 3 and done?!

Sincerely

Eli.
Cancel
Vote Up 0 Vote Down

Sign in to reply

Verify Answer

Cancel