Configuring TLS Decryption on

Sophos Firewall

Sophos Firewall
Version: 19.0v1

[Additional Information]
Sophos Firewall
FW2030: Configuring TLS Decryption on Sophos Firewall

April 2022
Version: 19.0v1

© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.

Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.

While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.

Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.

Configuring TLS Decryption on Sophos Firewall - 1

 Configuring TLS Decryption on Sophos Firewall
In this chapter you will learn how
to configure TLS decryption for
traffic passing through Sophos
Firewall.
RECOMMENDED KNOWLEDGE AND EXPERIENCE
✓ Using the WebAdmin to configure rules and
policies

DURATION

8 minutes

In this chapter you will learn how to configure TLS decryption for traffic passing through Sophos
Firewall.

Configuring TLS Decryption on Sophos Firewall - 2

 TLS Inspection Rules

Decrypted packets are sent

TLS inspection engine that is TLS policy is separate from
to IPS, application control,
port and application agnostic firewall policies
web filtering and antivirus

The TLS inspection engine in Sophos Firewall is port and application agnostic, it doesn’t know or
care about what higher level applications are being used.

The TLS policy for the inspection engine is separate from firewall rules, this allows you to create
and apply policies to traffic without the complexity of having to consider the ordering and
matching of firewall rules.

The TLS inspection engine sends decrypted packets to IPS, application control, web filtering and
antivirus for checking.

Configuring TLS Decryption on Sophos Firewall - 3

 SSL/TLS Inspection Rules

Here you can see a set of TLS inspection rules.

The first excludes specific websites from being decrypted and uses two lists, a local list where you
can add websites to exclude, and a list managed by Sophos of websites where we know SSL
inspection causes problems.

An example of when this may happen is where there is mutual authentication by the server and
the client or application. These two lists of websites can be viewed in PROTECT > Web > URL
Groups, and in the case of the Local TLS exclusion list you can edit it.

Configuring TLS Decryption on Sophos Firewall - 4

 TLS Inspection Rules
• Decrypt
• Do not decrypt Certificate, protocol
• Deny and cipher settings

Matching criteria the

same as firewall
rules

Match on categories
and websites

Let’s take a look at how you would configure a rule.

TLS inspection rules can be configured to:

• Decrypt matched traffic, when you want to scan the contents
• Not decrypt matched traffic, when it will cause problems with the site or application
• Or deny the matched traffic

Each rule has a decryption profile that is a collection of certificate, protocol and cipher settings. We
will look at decryption profiles in more detail shortly.

The matching criteria for TLS inspection rules is the same as for firewall rules, but with the addition
of being able to match on categories of websites.

Configuring TLS Decryption on Sophos Firewall - 5

 TLS Inspection Rules

Here I have created three rules as an example, which do the following:

• Enforce strict decryption for users in finance
• Applies a more relaxed and compatible policy to specific domains that require it
• And decrypt all other internal to external traffic and block insecure SSL

Configuring TLS Decryption on Sophos Firewall - 6

 Catch-all TLS Rule Example

As an example, we create a catch-all TLS inspection rule for traffic going to the WAN zone from the
client networks.

Start by giving the rule a descriptive name, set the rule position and select the action.

Select a decryption profile that defines the resigning CAs, acceptable ciphers and how to handle
non-decryptable traffic.

Configure the source and destination settings in the same way that you would for a firewall rule, in
this case to select traffic from clients to the Internet.

You can optionally further restrict the rule to apply to specific websites.

Configuring TLS Decryption on Sophos Firewall - 7

 TLS Inspection Settings

From the top of the TLS inspection rules tab you can open the TLS inspection settings; these are
generic engine-based settings that will apply globally to all rules.

There are three sections:

• The certificate authorities to use for resigning RSA and EC certificates
• How to handle non-decryptable traffic, this is either insecure traffic that is not supported by TLS
decryption, or what to do if the Sophos Firewall reaches its connection limit. The connection
limit is a fixed value based on the model of the Sophos Firewall
• TLS 1.3 compatibility. TLS 1.3 is still fairly new and not widely adopted, so there is an option to
either decrypt as TLS 1.3 or to downgrade to TLS 1.2

Configuring TLS Decryption on Sophos Firewall - 8

 Decryption profiles are configured in:
Decryption Profiles SYSTEM > Profiles > Decryption profiles

Decryption profiles are a collection of settings that are applied by a rule-by-rule basis.

There are three default decryption profiles provided:

• Block insecure, this blocks known weak protocols and ciphers
• Maximum compatibility, this is the most relaxed profile and is focused on trying to ensure
restrictions do not cause any unexpected problems
• Strict compliance, is for people that need to meet more strict compliance standards such as PCI

Configuring TLS Decryption on Sophos Firewall - 9

 Decryption Profiles

You can also create your own custom decryption profiles, either from scratch or by cloning an
existing profile.

There are three main sections to the profile:

• Re-signing certificate authority, which can either use the CAs defined in the SSL/TLS settings, or
they can be overridden
• Non-decryptable traffic, where you can specify a different set of actions from the SSL/TLS
settings

Configuring TLS Decryption on Sophos Firewall - 10

 Decryption Profiles

• And enforcement rules, where you can block specific protocols, ciphers and certificate errors.
These can be used to enforce security settings to meet compliance criteria

Configuring TLS Decryption on Sophos Firewall - 11

 Simulation: Create a TLS inspection rule on Sophos Firewall

In this simulation you create a TLS

inspection rule on Sophos Firewall
that will decrypt all outbound
traffic.

LAUNCH SIMULATION CONTINUE

https://training.sophos.com/fw/simulation/TlsRule/1/start.html

In this simulation you create a TLS inspection rule on Sophos Firewall that will decrypt all
outbound traffic.

Getting Started with Firewall and NT Rules on Sophos Firewall - 12

 Chapter Review
TLS inspection rules can match on source and destination zones and networks, users,
services, and websites

TLS inspection exclusions are managed using web URL groups. There are two URL groups
by default, one locally managed and one Sophos managed

TLS inspection settings are generic engine-based settings that will apply globally to all
rules

Decryption profiles contain the settings for which signing CAs to use, how to manage
non-decryptable traffic, and which connections will be blocked based on errors, key size,
and algorithms

Here are the four main things you learned in this chapter.

TLS inspection rules can match on source and destination zones and networks, users, services, and
websites.

TLS inspection exclusions are managed using web URL groups. There are two URL groups by
default, one locally managed and one Sophos managed.

TLS inspection settings are generic engine-based settings that will apply globally to all rules.

Decryption profiles contain the settings for which signing CAs to use, how to manage non-
decryptable traffic, and which connections will be blocked based on errors, key size, and
algorithms.

Configuring TLS Decryption on Sophos Firewall - 17

Configuring TLS Decryption on Sophos Firewall - 18