Hello, I am converting our customers from primitive FWs to Sophos XGS's and testing TLS decryption. Would anyone be so kind to walk me through what is happening in specific case below: Setup: TLS enabled, any of default profiles, Sophos CA as trusted…

I have TLS inspection setup on my main network running through a Sophos XG (20.0.2 MR-2) and am trying to setup Google Passkeys for G-Mail. The passkeys were setup using a different network connection, and they do work on another network. If I go through…

Hello there, I have a customer who may want to buy a Sophos Firewall with the main reason of using it as a Web Proxy Server. Unfortunately I could not find information regarding WebSocket traffic inspection. My guts tell me that the SFOS will inspect…

Issue Summary: Slow Speed test SSL/TLS Inspection Summary of Call Discussion: Traffic for the test system (172.xxx.xx.8) was passing through rule ID #2. We observed a speed of 36 Mbps with the SSL/TLS inspection rule enabled. After disabling the…

Hi folks, Before the upgrade the gmail account used user name and password, after the upgrade the username and password were disabled and oauth 2.0 was the approved security method. Today I upgraded my iPhone and iPad to the latest version of IoS…

I’ve noticed that some sites subjected to TLS inspection still present valid certificates from reputable CAs without generating on-the-fly appliance certificates. This behavior seems unusual because, typically, I would expect the appliance to generate…

I have enabled SSL/TLS inspection to do MITM for HTTPS(443) trafic from LAN to WAN. I have push by GPO certificat CA to windows computer. That work just fine for most site. Now I have an issue with site that have HSTS enabled. For those site that enable…

Hello, I am running SFOS 19.5.4 and I noticed that I cannot get to any secure apple.com website since the last update. I try to go to apple business manager (business.apple.com) and it will just spin and eventually time out. I also tried to purchase a…

Hi everyone, I'm enforcing my TLS inspection rules to more strict and secure with best practices. So my Decryption Profile: Using https://badssl.com/ for tests scenarios I had success in almost all practices: invalid date working as…

Hello together, i have the issue that some Websites like https://www.mediamarkt.de , https://www.poco.de , https://moemax.de are disconnecting the TCP Stream when our Sophos Firewall is running TLS Decryption against them. Once the TLS Decryption…

Hello, as from here I can configure "Require sender email domains" to enforce TLS negotiation ( whitelisting ). Beside this I can configure "Skip TLS negotiation" ( blacklisting ). For compliance and legal reason I need to configure TLS negotiation…

This is partly a question, partly a what's other peoples experience with this Doing some heavy speedtest loads on an XGS136 and an XG 135 and while both units with TLS inspection on will do 800mbps+ on the download they will only do 190mbps(XGS136)…

I'm trying to test the web filter with a content filter and am experiencing unexpected behavior. I've created a blocked terms list with the following term: and uploaded it to a content filter called blocked_terms. I've also set up a web filter policy…

Explain like I'm 5 (maybe a 5 year old is smarter at this point, who knows)... We have SSL/TLS inspection rules under "Rules and policies." One of these rules is the built in "Exclusions by Website, which references both a Local and Managed TLS exclusion…

Using TLS decryption and vendor Docusign suddenly causes issues with our XG firewall on 19.5.3. Happens also on other browsers and OS. Here Safari in MacOS. it works using classic proxy as described here: https://support.sophos.com/support…

Hello everyone, Since v20 I need to disable / enable a SSL/TLS Decryption rule nearly every to every 2 days. It stops processing traffic and on a client device it "feels" like the internet is down. This instantly recovery after disabling / enabling…

I need to add the TLS exclusions for allowing Office365 updates through because the Web Protection module is blocking them - I can update my Office365 apps fine without the protection as this has been tested successfully. My firewall is XGS87 running…

Dealing with a strange issue where the FW appears to be trying to decrypt a site even though the setting is OFF. Is there another policy that would be impacting this (or producing this sort of error)?

Hi Team, I configured a DPI Rule, that should decyrpt SSL/TLS Traffic, but it actually doesn´t, despite Policytest says, it does. Even if AV Scanning is active, the firewall does not block access to https://secure.eicar.org/eicar.com.txt . If…

Hi Sophos Community, We've had it reported to us by those that use the monitoring software that https decryption has stopped working. We aren't exactly sure when it stopped working, but it appeared to have done some time after moving to 19.5. Though…

Is the firewall (MTA mode) not accepting SMTP with SSL/TLS also on port 465/587? My Epson printer is not able to connect on 465/587 with the firewall: /log/smtpd_main.log -> nothing in log /log/smtpd_reject.log -> nothing in log ACL violation? Source…

Hi, after our installation of the firmware SFOS 19.5.2 MR-2-Build624 we have problems with sides with the follow error: Dropped due to TLS engine error: messageid="19006" log_type="Content Filtering" log_component="SSL" log_subtype="Error" severity…

Hi all, I was playing with SSL/TLS decrpytion and it breaks RDP connecyions with error "The Local Security Authority cannot be contacted". The only exception that works is if I make the excpetion for the address I am connecting to, which is extremly…

Hey all, I've noticed that at home - a portion of IG won't load when connected to the Sophos VPN. I've checked the firewall logs and don't see anything blocked from IG. Any ideas of how/what I can do to get this allowed again?

Hi, an application tried to decrypt a SSL/TLS connection but was getting an error "unknown ca(48)" : messageid="19018" log_type="Content Filtering" log_component="SSL" log_subtype="Error" severity="Information" user="<changed>" src_ip="<changed>"…