Thread Info
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Exclude IOT devices from https decrypt and scan

Andy Johnson

Hi,

I have followed the following steps so far:

  1. created static mappings for all the devices in my house: computers, tablets, phones, raspberry pi, IOTs like Google Home, smart tv, smart dvd player, smart irrigation system, thermostat, etc.
  2. Created a unique host in System Settings --> Organizational and provided a unique host name. for e.g. (secure.sophosforandy.com)
  3. Regenerate certificate in Filtering options --> Https CAs
  4. Download the PKCS#12 certificate 
  5. Install the certificate on each computer and cell phones (so far I have tried just one cell phone and yet to try many more but since POC on one android phone works so I am expecting it to work on other android devices as well)

 

Now here is my challenge. I have so many IOT devices and I  am sure we all have these days, for e.g. Google home, smart tv, smart dvd player, etc...

Now I would like to create a policy and/or filter where ONLY these devices can bypass the https filter and scan. and it still will be enforced to other devices like computer, tablets and phones.

Web filtering options are very confusing to me. Can someone please guide me through it to achieve what I want to accomplish? I will really appreciate it.

Andy



This thread was automatically locked due to age.
  • 0

    Great question, Andy!  On the 'Misc' tab of 'Filtering Options', add the Hosts for your IOT devices to 'Skip Transparent Mode Source Hosts/Nets'.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
    • 0 in reply to BAlfson

      Bob,

      Thanks for your response.

      I hope it will only skip "Decrypt and Scan" of https traffic only for the defined host? I still want Sophos to scan other traffic for those excluded hosts?

      Thanks

      Andy

      • 0 in reply to Andy Johnson

        Hi Andy,

        if you write it into the Skip-list under the Misc-Tab then it will bypass transparent proxy.

        if you only want to skip the https decryption part but want the URL-Filter to work, then you'll need to build an exception

         

        Yours Lukas

        lna@cema

        SCA (utm+xg), SCSE, SCT

        Sophos Platinum Partner

        • 0 in reply to lna

          Lukas,

          I tried your suggestion yesterday and haven't tried other devices but very first issue I encountered is my two factor authentication for my company vpn which uses Duo.

          When I am on my home network, I get notification from Duo to approve login but as soon as I open that notification, it complains that I need a Wifi and/or mobile network. In fact, I have both enabled on my cell phone.

          Can you please suggest how can I fix that problem?

           

          Thanks

          Andy