We recently upgraded our Sophos XGS 4300 to SFOS v21. Since then, we are finding that a number of our users were receieving connection reset messages in their browser (Edge and Chrome) when attempting to access some websites with transparent TLS decryption…

How i can disable CBC mode and chacha20 affected algorithms and enable CTR or GCM cipher mode encryption.

We're discovering a strange issue with HTTPS decryption and ChatGPT in all browsers we use. ChatGPT is unusable when we're logged in with the ChatGPT-licensed Microsoft Account. Any chat request generates this or similar errors: On the of SFOS 20…

Hello, I am converting our customers from primitive FWs to Sophos XGS's and testing TLS decryption. Would anyone be so kind to walk me through what is happening in specific case below: Setup: TLS enabled, any of default profiles, Sophos CA as trusted…

I have TLS inspection setup on my main network running through a Sophos XG (20.0.2 MR-2) and am trying to setup Google Passkeys for G-Mail. The passkeys were setup using a different network connection, and they do work on another network. If I go through…

Hello there, I have a customer who may want to buy a Sophos Firewall with the main reason of using it as a Web Proxy Server. Unfortunately I could not find information regarding WebSocket traffic inspection. My guts tell me that the SFOS will inspect…

Issue Summary: Slow Speed test SSL/TLS Inspection Summary of Call Discussion: Traffic for the test system (172.xxx.xx.8) was passing through rule ID #2. We observed a speed of 36 Mbps with the SSL/TLS inspection rule enabled. After disabling the…

Hi, we have a problem with transferring syslog from Sophos firewall to the Arcsight SmartConnector. When we try UDP, logs can be seen in connector. However, with TLS communication fails. This is only example, but ours handshake also fails at Change…

Hi folks, a question about XG ability to decode DNS over HTTPS and TLS, can the current version of XG decode DNS requests sent to it using HTTPS or than TLS? Ian

Heartbeat is always a bit tricky here. As we have several rules with block clients with no HB, the impact off technical heartbeat issues is always high. Endpoints have the latest official Client versions from Central. Currently 2024.2.3.4.0 For…

Currently I have some trouble providing Firewall access to some load balanced CDN services on Akamai Servers, where the corresponding DNS names have short TTL's when using wildcard FQDN like *.docusign.net when the URL accesses will be demo.docusign.net…

Hi folks, Before the upgrade the gmail account used user name and password, after the upgrade the username and password were disabled and oauth 2.0 was the approved security method. Today I upgraded my iPhone and iPad to the latest version of IoS…

I’ve noticed that some sites subjected to TLS inspection still present valid certificates from reputable CAs without generating on-the-fly appliance certificates. This behavior seems unusual because, typically, I would expect the appliance to generate…

We are having two issues which seem to be connected to AWS S3 connectivity. We have web based exhibits which pull content from S3 buckets. This works fine and consistently outside the corporate firewall. However going through the Sophos XG units result…

I have enabled SSL/TLS inspection to do MITM for HTTPS(443) trafic from LAN to WAN. I have push by GPO certificat CA to windows computer. That work just fine for most site. Now I have an issue with site that have HSTS enabled. For those site that enable…

Hello, I am running SFOS 19.5.4 and I noticed that I cannot get to any secure apple.com website since the last update. I try to go to apple business manager (business.apple.com) and it will just spin and eventually time out. I also tried to purchase a…

Hi everyone, I'm enforcing my TLS inspection rules to more strict and secure with best practices. So my Decryption Profile: Using https://badssl.com/ for tests scenarios I had success in almost all practices: invalid date working as…

Good Eve. Trying to connect to a network switch via https. Error page : The trust status of this website's certificate could not be securely established. About this request URL: https://somePublicIP Certificate details: Valid From: Feb…

Hello together, i have the issue that some Websites like https://www.mediamarkt.de , https://www.poco.de , https://moemax.de are disconnecting the TCP Stream when our Sophos Firewall is running TLS Decryption against them. Once the TLS Decryption…

Hello, we use a XG430 - is there any way to block the cipher suite TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA on wan for a webserver keeping only TLS 1.2 with TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 for external connections…

Hello, as from here I can configure "Require sender email domains" to enforce TLS negotiation ( whitelisting ). Beside this I can configure "Skip TLS negotiation" ( blacklisting ). For compliance and legal reason I need to configure TLS negotiation…

This is partly a question, partly a what's other peoples experience with this Doing some heavy speedtest loads on an XGS136 and an XG 135 and while both units with TLS inspection on will do 800mbps+ on the download they will only do 190mbps(XGS136)…

I'm trying to test the web filter with a content filter and am experiencing unexpected behavior. I've created a blocked terms list with the following term: and uploaded it to a content filter called blocked_terms. I've also set up a web filter policy…

Explain like I'm 5 (maybe a 5 year old is smarter at this point, who knows)... We have SSL/TLS inspection rules under "Rules and policies." One of these rules is the built in "Exclusions by Website, which references both a Local and Managed TLS exclusion…

Using TLS decryption and vendor Docusign suddenly causes issues with our XG firewall on 19.5.3. Happens also on other browsers and OS. Here Safari in MacOS. it works using classic proxy as described here: https://support.sophos.com/support…