Since version 18, Sophos Firewall has been able to do port-agnostic SSL/TLS decryption and web filtering. This extends our inspection for web threats beyond ports 80 and 443. We've used this ability to release IPS signatures that can detect some HTTP attacks in decrypted traffic on any port.
In version 19, we've introduced a feature that will apply a broader range of web-related IPS signatures to decrypted TLS traffic, regardless of the port. Overall this provides a significant enhancement in our ability to protect against attacks that may try to circumvent regular IPS protection.
The feature is not enabled by default yet. We would really like to get some more exposure to a wider range of situations and traffic.
If you're using EAP2 and TLS decryption, it would be great if you could turn this feature on. Here's how to do it:
console> set ips scan_decrypted_port_agnostic on
Enabling this feature may lead to an increase in the number of IPS signature events on your Firewall. Each firewall sends telemetry to SophosLabs when IPS signatures fire, enabling us to respond to potential false positives very quickly and update signature sets.
You can disable this feature again if necessary with the following command:
console> set ips scan_decrypted_port_agnostic off
Thanks for your help! Please feel free to tell us about your experiences in responses to this post.
Done. Memory use has increased by about 2% and cpu siting around 20% on an XG115W rev3.
Will try adding some SSL/TLS rules to replace for firewall rules later today to see if any affect on performance?
Ian
XG115W - v19.5 GA - Home
Test machine - Asus P10S-i E3-1225v5, 6gb, 4 intel NICs, v19.5 GA
If a post solves your question please use the 'Verify Answer' button.
OK, I will give it a try.
Enabled the et ips scan_decrypted_port_agnostic on ,Wil revert if any issues ,
Best Regards,
Vishvas
Enabled and no issue so far for the moment. Is there a way to test it? Also, should we expect "different logs" entries, like to SophosLabs for analysis? Thanks
Enabled, lets see what happen.
Will it be enable by default? Even after migrate from V17 or V18. Or have it to be enabled manually like "sd-wan-policy-route reply-packet"
There are no problems so far. Netflix, Online Gaming, Facebook etc. Everything is fine right now....
We want this to be part of the default protection in the product in the near future.
There's no real way to test it other than enable it, enable IPS and enable SSL/TLS decryption and keep on putting traffic through the device. Hopefully nothing will happen unless you happen to hit upon a genuine attack. If you see any IPS log entries on encrypted traffic that look like they may be false positives, let us know.
Maybe a false positive:
Running a Twitch Stream and try to show it in Stream-Manager blocks the preview in Chrome v98.0.4758.82
2022-02-09 14:37:56IPSmessageid="07002" log_type="IDP" log_component="Signatures" log_subtype="Drop" ips_policy="" ips_policy_id="5" fw_rule_id="12" fw_rule_name="LAN to WAN" fw_rule_section="Local rule" user="majo-ryzen" sig_id="18484" message="FILE-MULTIMEDIA Apple iTunes Playlist Overflow Attempt" classification="Attempted User Privilege Gain" rule_priority="2" src_ip="23.160.0.254" src_country="USA" dst_ip="192.168.2.84" dst_country="R1" protocol="TCP" src_port="443" dst_port="55595" OS="Mac,Windows" category="file-multimedia" victim="Client
Thanks for posting this. We've investigated and will be improving this signature in a future IPS signature pack.