Which is the difference between exclusions to SSL/TLS inspection rules under rules and policies and under Web Menu?

Exclusions to SSL/TLS inspection rules

XG Firewall provides default exclusion rules for websites and applications. These rules are positioned at the top of the SSL/TLS inspection rule table and are evaluated first. You can’t change their sequence in the rule table.

To the default exclusion rules, add only applications and websites that you don’t want to decrypt in any SSL/TLS inspection rule.

To exclude traffic from decryption using other criteria, you can create additional rules with action set to Do not decrypt and place them immediately below the default rules.

Exclusions by website or category: Contains the following exclusion lists:
  • Local TLS exclusion list: The list is empty by default. You can’t delete it from the exclusion rule. You can add domains to this list based on troubleshooting outcomes. Websites excluded through the control center or the log viewer are also added to this list. To edit this list, go to Web > URL groups.
  • Managed TLS exclusion list: Contains domains known to be incompatible with SSL/TLS inspection and is updated through firmware updates. You can, however, remove the list from the exclusion rule.

Exclusions by application: The list is empty by default. To add to the list, select the exclusion rule and add the Synchronized Security applications. Applications excluded through the control center are also added to the list.

 

Please document the differences between this new tab/option from exceptions available in Web > exceptions. Which one takes precedence?

Thanks

Parents
  • The TLS exclusion lists only apply to SSL/TLS Inspection rules and not to Web Proxy.

  • Can you explain a little bit deeper?

    For example, at the moment, I have web proxy exceptions for Skype, otherwise with decrypt and scan and application control where SKYPE is allowed, skype calls do not work. Do I need to move these exceptions to new SSL/TLS exceptions?

    Also, make sure to document in the PDF or online doc.

    Thanks

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • Exclude from decryption did not help!

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • the 0:443 thing is a known issue we are working to resolve.

     

    Not sure why you can't get to LinkedIN - hate this phrase personally - but it works here and I have no exclusions for it.

  • Can you give a bit more detail:

    - How are you trying to access LinkedIn? From a browser on a PC or Mac, or from an iPhone or mobile device?

    - Are you sure that the device/browser/app is trusting the re-signing CA on your firewall?

    - Are you sure it's not being blocked by your web policy "Deny ADS"?

    - What entries do you see in the Log Viewer relating to linked in - using the detailed view of the log viewer, you should see Firewall, SSL/TLS and Web filter logs relating to the application definition "LinkedIn Website"?

  • Thanks Stuart.

    Where can I find the exclusions created from SSL/TLS control center option?

    I did not find Linkedin nowhere!

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • Sure:

    MAC where XG Certificate is installed since v16 I guess. I am using decrypt and scan for almost 3 years now.

    Deny ADS includes only ADS. If I tick web proxy in the same firewall rule, Linkedin opens  without any problem.

    Nothing in the log.

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • With Safari, Linkedin works with no issue.

    With Firefox, Linkedin does not open. I did not even receive the 404 page but browser keeps trying to opening it. FF 69.0.2 and 69.0.3

    Hope this helps!

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • Luk, you should open another Thread for this issue. 

    It is easier to track for the Sophos Support guys to keep a one issue per Thread discussion. 

    So to speak, lets discuss the Exception tab here, and open a new Thread with your issue about Access Linkin in another thread. 

    I highly assume, there is some configuration issue. Hope this is fine. 

    __________________________________________________________________________________________________________________

  • Just to come back on the original thread, DOCUMENT HOW THE NEW DPI can be configured with some KB and pros and cons of using DPI or Web Protection.

    Thanks

    Luk

    Security Architect

    UTM Certified Architect - XG Certified Architect

  • Agree, if you not spend some minutes with the SSLx, it could be quite confusing. But this is still in progress to "improve" this until GA. 

    Please keep in Mind, the GUI and other stuff like the Documentation are not complete right now. So basically there will be more input. 

    If you see some lacking in documentation, please keep putting input into the Community / Threads to inform the Sophos Stuff. 

    __________________________________________________________________________________________________________________

  • As  said the documentation is not fully complete yet. In addition we will shortly release some videos on how to configure both the new DPI functionality and also NAT.

Reply Children
No Data