We recently upgraded our Sophos XGS 4300 to SFOS v21. Since then, we are finding that a number of our users were receieving connection reset messages in their browser (Edge and Chrome) when attempting to access some websites with transparent TLS decryption…

Apologies I know it's been mentioned before, but I'm in the process of moving from pfsense + to XG Home. Got a variety of loose ends to sort out and DNS over TLS is one of them. Is this forthcoming within the v21 release cycle? I'm sorting Wireguard…

How i can disable CBC mode and chacha20 affected algorithms and enable CTR or GCM cipher mode encryption.

We're discovering a strange issue with HTTPS decryption and ChatGPT in all browsers we use. ChatGPT is unusable when we're logged in with the ChatGPT-licensed Microsoft Account. Any chat request generates this or similar errors: On the of SFOS 20…

Hello, I am converting our customers from primitive FWs to Sophos XGS's and testing TLS decryption. Would anyone be so kind to walk me through what is happening in specific case below: Setup: TLS enabled, any of default profiles, Sophos CA as trusted…

I have TLS inspection setup on my main network running through a Sophos XG (20.0.2 MR-2) and am trying to setup Google Passkeys for G-Mail. The passkeys were setup using a different network connection, and they do work on another network. If I go through…

Hello there, I have a customer who may want to buy a Sophos Firewall with the main reason of using it as a Web Proxy Server. Unfortunately I could not find information regarding WebSocket traffic inspection. My guts tell me that the SFOS will inspect…

Issue Summary: Slow Speed test SSL/TLS Inspection Summary of Call Discussion: Traffic for the test system (172.xxx.xx.8) was passing through rule ID #2. We observed a speed of 36 Mbps with the SSL/TLS inspection rule enabled. After disabling the…

Hi, we have a problem with transferring syslog from Sophos firewall to the Arcsight SmartConnector. When we try UDP, logs can be seen in connector. However, with TLS communication fails. This is only example, but ours handshake also fails at Change…

Hi folks, a question about XG ability to decode DNS over HTTPS and TLS, can the current version of XG decode DNS requests sent to it using HTTPS or than TLS? Ian

Heartbeat is always a bit tricky here. As we have several rules with block clients with no HB, the impact off technical heartbeat issues is always high. Endpoints have the latest official Client versions from Central. Currently 2024.2.3.4.0 For…

Currently I have some trouble providing Firewall access to some load balanced CDN services on Akamai Servers, where the corresponding DNS names have short TTL's when using wildcard FQDN like *.docusign.net when the URL accesses will be demo.docusign.net…

Hi folks, Before the upgrade the gmail account used user name and password, after the upgrade the username and password were disabled and oauth 2.0 was the approved security method. Today I upgraded my iPhone and iPad to the latest version of IoS…

I’ve noticed that some sites subjected to TLS inspection still present valid certificates from reputable CAs without generating on-the-fly appliance certificates. This behavior seems unusual because, typically, I would expect the appliance to generate…

We are having two issues which seem to be connected to AWS S3 connectivity. We have web based exhibits which pull content from S3 buckets. This works fine and consistently outside the corporate firewall. However going through the Sophos XG units result…

I have enabled SSL/TLS inspection to do MITM for HTTPS(443) trafic from LAN to WAN. I have push by GPO certificat CA to windows computer. That work just fine for most site. Now I have an issue with site that have HSTS enabled. For those site that enable…

Hello, I am running SFOS 19.5.4 and I noticed that I cannot get to any secure apple.com website since the last update. I try to go to apple business manager (business.apple.com) and it will just spin and eventually time out. I also tried to purchase a…

Hi everyone, I'm enforcing my TLS inspection rules to more strict and secure with best practices. So my Decryption Profile: Using https://badssl.com/ for tests scenarios I had success in almost all practices: invalid date working as…

Wir verwenden im Unternehmen die Sophos Firewall und das Sophos Connect für den VPN-Zugang. Demnächst läuft eines unserer SSL-Zertifikate aus. Da ich noch recht unerfahren im Umgang mit Sophos bin, wollte ich nun wissen, ob das Auswirkungen auf unsere…

Good Eve. Trying to connect to a network switch via https. Error page : The trust status of this website's certificate could not be securely established. About this request URL: https://somePublicIP Certificate details: Valid From: Feb…

Hallo, mein Ziel ist es über Domänen Zertifikat die SSL/TLS inspection zu machen. Ich bin nach folgender Anleitung gegangen ( https://docs.sophos.com/nsg/sophos-firewall/19.5/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Certificates/HowToArticles…

Hallo zusammen, im Rahmen eines Sophos-Vortrages bin ich auf folgenden Sachverhalt gestoßen: Die unterschiedlichen Verschlüsselungsalgorithmen, genutzt bei SSH, werden unter anderen in der BSI TR-02102-4 erörtert bzw. deren Verwendungsempfehlung zeitlich…

Hallo zusammen, ich habe die XGS Firewall und den Endpoint mit Intercept X Advanced. Beide können HTTPS Entschlüsseln und IPS. Welchen der beiden soll ich dafür verwenden?

Hello together, i have the issue that some Websites like https://www.mediamarkt.de , https://www.poco.de , https://moemax.de are disconnecting the TCP Stream when our Sophos Firewall is running TLS Decryption against them. Once the TLS Decryption…

Hello, we use a XG430 - is there any way to block the cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA on wan for a webserver keeping only TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for external connections…