Hi, I have set up email scanning according to this guide: https://docs.sophos.com/nsg/sophos-firewall/20.0/Help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/HowToArticles/EmailConfigurePOPIMAPScan/index.html#add-a-firewall-rule I have found that…

I’ve noticed that some sites subjected to TLS inspection still present valid certificates from reputable CAs without generating on-the-fly appliance certificates. This behavior seems unusual because, typically, I would expect the appliance to generate…

I have enabled SSL/TLS inspection to do MITM for HTTPS(443) trafic from LAN to WAN. I have push by GPO certificat CA to windows computer. That work just fine for most site. Now I have an issue with site that have HSTS enabled. For those site that enable…

When I go to edit the certificate and upload the certificate which is due for renewal ( every 13 months ), it fails with the following error at the top center of the screen: Certificate could not be updated as it is already used by HTTP Based Policy…

Hello, We are using the DPI engine and have created SSL/TLS inspection rules. Unfortunately, we receive a certificate warning for some websites even though the firewall certificate has been imported. What could be the reason for this and how can we…

Hi, I have ONE of 3 new installs of XGS-126 having long known problem with Sophos CA certificates on some popular URL addresses. For example, users cannot download Google Chrome: I guess problem is HSTS, where browser detects MITM, which is Sophos…

Hi everyone, I'm enforcing my TLS inspection rules to more strict and secure with best practices. So my Decryption Profile: Using https://badssl.com/ for tests scenarios I had success in almost all practices: invalid date working as…

Hi there, I have a single static public IP that I'm using for SSL VPN incoming connections and for exposing a host (PBX) along with the following services: 80, 443, 5060, 5061, and RTP range 9999-15000. The PBX manufacturer provides a DNS service…

Dear All, I am facing with a Problem in sophos xg web server Protection, I have created all needed ruls and upload the ssl certificat to xg but in web application rule under the Host server when I select the HTTPS in the dropdaown menu I dont see me…

Hi folks, a question about decrypt and scan that has me puzzled for sometime. The users have the XG certificate installed and functioning correctly except for Apple sites. I have web policies blocking advertisements and use the XG proxy, this functions…

Hello everyone, Recently i noticed a bunch of tickets regarding the following. i want to go on facebook, but facebook is blocked. instead of the blocked page i get Error code: SEC_ERROR_UNKNOWN_ISSUER(firefox) or NET::ERR_CERT_AUTHORITY_INVALID…

Hi. I am facing an issue with the Web Application Firewall. I have several WAF rules configured, some using SSL and other are not. They point to a central web server. The domain name is used to differentiate each web app and that is forwarded on to…

We use a Sophos XGS87 (SFOS 19.5.3 MR-3-Build652) and we want to use POP3 Scanning in legacy mode. In document ( https://doc.sophos.com/nsg/sophos-firewall/18.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Email/HowToArticles/EmailConfigurePOPIMAPScan…

Hi Sophos Community, We've had it reported to us by those that use the monitoring software that https decryption has stopped working. We aren't exactly sure when it stopped working, but it appeared to have done some time after moving to 19.5. Though…

Good morning, i installed sophos firewall to use it as wifi guest access, through the hotspot feature. I also bought the standard subscription, so with web Protection the possibility of doing url filtering. I then loaded the CA of my public domain, to…

Hi, when downloading the Proxy CA here: this logs you out of webadmin immediately. SFOS 19.5.2 MR-2-Build624 XG and XGS

- Web -> HTTPS decryption and scanning -> HTTPS scanning certificate authority (CA) -> "Default" cert in settings - Profiles -> Decryption profiles -> Block insecure SSL -> "Default" cert in booth Re-sign settings - what is in use -> "SecurityAppliance_SSL_CA…

Hello community, I have switched from UTM to XG and now I have the following problem with pubic trusted certificates in other zones than the default internal zone. I have configured and uploaded the certificate successfully in the XG appliance,…

If I upload a new certificate because it's just been renewed, and then select that certificate in an existing firewall rule for web protection, it automatically deletes all the domains I've associated and puts in the ones it's found in the certificate…

I have a local web server i would like to publish it so i can access it from outside via port 443 , i've already generated an ssl certificate and i would like to use it via Sophos FW . is it possible to do it via WAF and attach the new SSL certificate…

We're having a strange situation again after it happened last week already on our SFOS 19.0.1 XG430: Some users browse to a website that has no exceptions on our firewall for decryption. The browser (firefox or chrome) show an error that the site…

hi, i have XG430 , created a firewall rule and selected with following web filtering checks: Block QUIC protocol Scan HTTP and Decrypted HTTPS Scan FTP for Malware Decrypt HTTP during web proxy filtering. SSL and TLS inspection is enabled when user…

Hello there, I just enabled a web filter policy to block various websites, but I'm having issues with the user notification options. I have installed a valid LetsEncrypt SSL certificate and it's working great for the user portal. However when a webpage…

Hi everyone! We are using a Sophos XGS2300 (SFOS 19.0.1 MR-1). We uploaded a pfx-certificate to the WAF which specifically included only the webserver certificate itself and its intermediate certificate. But, when we check the site with a tool like…

Hi there Last week, my wildcard certificate expired. No biggie. Got a new one, imported it into the firewall, everything ok. When I selected the new certificate in my WAF rules, I was able to save this configuration and expected the firewall to use…