Which is the difference between exclusions to SSL/TLS inspection rules under rules and policies and under Web Menu?

Exclusions to SSL/TLS inspection rules

XG Firewall provides default exclusion rules for websites and applications. These rules are positioned at the top of the SSL/TLS inspection rule table and are evaluated first. You can’t change their sequence in the rule table.

To the default exclusion rules, add only applications and websites that you don’t want to decrypt in any SSL/TLS inspection rule.

To exclude traffic from decryption using other criteria, you can create additional rules with action set to Do not decrypt and place them immediately below the default rules.

Exclusions by website or category: Contains the following exclusion lists:
  • Local TLS exclusion list: The list is empty by default. You can’t delete it from the exclusion rule. You can add domains to this list based on troubleshooting outcomes. Websites excluded through the control center or the log viewer are also added to this list. To edit this list, go to Web > URL groups.
  • Managed TLS exclusion list: Contains domains known to be incompatible with SSL/TLS inspection and is updated through firmware updates. You can, however, remove the list from the exclusion rule.

Exclusions by application: The list is empty by default. To add to the list, select the exclusion rule and add the Synchronized Security applications. Applications excluded through the control center are also added to the list.

 

Please document the differences between this new tab/option from exceptions available in Web > exceptions. Which one takes precedence?

Thanks

  • Agree, if you not spend some minutes with the SSLx, it could be quite confusing. But this is still in progress to "improve" this until GA. 

    Please keep in Mind, the GUI and other stuff like the Documentation are not complete right now. So basically there will be more input. 

    If you see some lacking in documentation, please keep putting input into the Community / Threads to inform the Sophos Stuff. 

    __________________________________________________________________________________________________________________

  • As  said the documentation is not fully complete yet. In addition we will shortly release some videos on how to configure both the new DPI functionality and also NAT.

  • Hi all,

    I have another short question regarding Web Proxy vs. TLS inspection feature:

    What is the best practice for FW rules providing web access over port 80?

    Should unencrypted http also be handled by the new IPS engine without the web proxy?

     

    Thanks and Best Regards

    Dom

  • Basically you decide, how the proxy will get the Traffic by selecting this in the Firewall rules. 

    Ether you select DPI (IPS engine) or you enable the HTTPs Proxy. 

    But both ways, the Proxy will enabled for HTTP (port 80), if you select "scan malware". It will scan 80 and (if possible) 443. The "If possible" is DPI or HTTPs Proxy. 

    __________________________________________________________________________________________________________________

  • Thanks for your quick reply!

    Is the HTTP Proxy also used if a Web Policy is active, e.g. when blocking some web categories?

  • To answer the question from :

    The DPI Engine can handle both encrypted and unencrypted HTTP traffic.

    If you apply a web policy to a firewall rule, or enable "Scan traffic for malware and content", the DPI Engine will do all the scanning and policy enforcement for all ports.

    If you also enable "Use the web proxy to transparently scan...", the proxy will take over the scanning and policy enforcement from the DPI Engine for ports 80 & 443 but the DPI Engine will continue to scan and enforce on other ports.

    If you enable "Decrypt HTTPS traffic scanned by the web proxy" then any HTTPS traffic being handled by the proxy will be decrypted.

    When Web Policy is not "None" and/or Scan traffic for malware is enabled "Decrypt HTTPS traffic..." ENABLED "Decrypt HTTPS traffic..." DISABLED
    "Use the web proxy..." ENABLED

    80 & 443: handled by proxy

    Other ports: handled by DPI Engine

    80 & 443: handled by proxy, and HTTPS is decrypted by proxy

    Other ports: decrypted by DPI engine based on SSL/TLS rules

    "Use the web proxy..." DISABLED All ports: handled by DPI Engine All ports: decrypted by DPI engine based on SSL/TLS rules
    When Web Policy is "None" and Scan traffic for malware is disabled "Decrypt HTTPS traffic..." ENABLED "Decrypt HTTPS traffic..." DISABLED
    "Use the web proxy..." ENABLED No web policy or malware scanning is done. Traffic on all ports may still be decrypted by the DPI Engine according to SSL/TLS rules.
    "Use the web proxy..." DISABLED

    When I say 'all ports' here, I obviously mean 'all ports matched by the firewall rule'.

    HTTPS exclusions:

    Web Exceptions with 'Exclude HTTPS decryption': apply to both DPI Engine decryption and Proxy decryption. This was done to ease migration for customers switching from v17.5 and earlier who may already have had HTTPS exclusions set up in Web exceptions.

    Exclusions on the SSL/TLS rules page are part of the SSL/TLS rule set and only apply to DPI Engine decryption.

    When you exclude a web site/domain from the Control Center or from the Log Viewer, it is added to the 'Local TLS Exclusion list' URL Group, which is included in the default 'Exclusions by Website' rule (#1) to exclude traffic by website.

    When you exclude a Sync Security App from the Control Center or Log Viewer, it is added directly to the default 'Exclusions by application' rule (#2)

    To answer 's original question: Precedence is not really relevant when considering Web Exceptions vs TLS/SSL rules because if a site is excluded by either one or the other, it will not be decrypted by the DPI Engine. But if it helps, you could think of Web Exceptions being the first thing considered, and if there is a match, then no decryption or other TLS/SSL conditions will be applied.

  • Thank you for the detailed explanation. [Y]

     

    I guess the most confusing thing right now is that you can not choose "Proxy" or "DPI" in the firewall rule itself. 

    The mechanisem behind the DPI ruleset would be easier to understand, when you could simply select in the specific firewall rule "Use Proxy method" or "Use DPI method/ruleset". The other choice should then be greyed out.

  • Perhaps I misunderstand but the choice of Proxy, DPI or both *is* in the firewall rule. Can you clarify?

     

    Also there are circumstances where you would want to use both methods, so greying one out wouldn't be appropriate.

  • Hi,

    what i mean is the following menu:

    There is only the context menu "web proxy". When you leave the checkboxes unticked the SS/TLS insprection rules are active for  port 80,443.

    What i'm missing is something like "Use DPI ruleset instead of proxy". Here is only a hint "SSL vs proxy filtering".