Professional Documents
Culture Documents
Sophos Firewall
Sophos Firewall
Version: 19.0v1
[Additional Information]
Sophos Firewall
FW2030: Configuring TLS Decryption on Sophos Firewall
April 2022
Version: 19.0v1
© 2022 Sophos Limited. All rights reserved. No part of this document may be used or reproduced
in any form or by any means without the prior written consent of Sophos.
Sophos and the Sophos logo are registered trademarks of Sophos Limited. Other names, logos and
marks mentioned in this document may be the trademarks or registered trademarks of Sophos
Limited or their respective owners.
While reasonable care has been taken in the preparation of this document, Sophos makes no
warranties, conditions or representations (whether express or implied) as to its completeness or
accuracy. This document is subject to change at any time without notice.
Sophos Limited is a company registered in England number 2096520, whose registered office is at
The Pentagon, Abingdon Science Park, Abingdon, Oxfordshire, OX14 3YP.
DURATION
8 minutes
In this chapter you will learn how to configure TLS decryption for traffic passing through Sophos
Firewall.
The TLS inspection engine in Sophos Firewall is port and application agnostic, it doesn’t know or
care about what higher level applications are being used.
The TLS policy for the inspection engine is separate from firewall rules, this allows you to create
and apply policies to traffic without the complexity of having to consider the ordering and
matching of firewall rules.
The TLS inspection engine sends decrypted packets to IPS, application control, web filtering and
antivirus for checking.
The first excludes specific websites from being decrypted and uses two lists, a local list where you
can add websites to exclude, and a list managed by Sophos of websites where we know SSL
inspection causes problems.
An example of when this may happen is where there is mutual authentication by the server and
the client or application. These two lists of websites can be viewed in PROTECT > Web > URL
Groups, and in the case of the Local TLS exclusion list you can edit it.
Match on categories
and websites
Each rule has a decryption profile that is a collection of certificate, protocol and cipher settings. We
will look at decryption profiles in more detail shortly.
The matching criteria for TLS inspection rules is the same as for firewall rules, but with the addition
of being able to match on categories of websites.
As an example, we create a catch-all TLS inspection rule for traffic going to the WAN zone from the
client networks.
Start by giving the rule a descriptive name, set the rule position and select the action.
Select a decryption profile that defines the resigning CAs, acceptable ciphers and how to handle
non-decryptable traffic.
Configure the source and destination settings in the same way that you would for a firewall rule, in
this case to select traffic from clients to the Internet.
You can optionally further restrict the rule to apply to specific websites.
From the top of the TLS inspection rules tab you can open the TLS inspection settings; these are
generic engine-based settings that will apply globally to all rules.
Decryption profiles are a collection of settings that are applied by a rule-by-rule basis.
You can also create your own custom decryption profiles, either from scratch or by cloning an
existing profile.
• And enforcement rules, where you can block specific protocols, ciphers and certificate errors.
These can be used to enforce security settings to meet compliance criteria
https://training.sophos.com/fw/simulation/TlsRule/1/start.html
In this simulation you create a TLS inspection rule on Sophos Firewall that will decrypt all
outbound traffic.
TLS inspection exclusions are managed using web URL groups. There are two URL groups
by default, one locally managed and one Sophos managed
TLS inspection settings are generic engine-based settings that will apply globally to all
rules
Decryption profiles contain the settings for which signing CAs to use, how to manage
non-decryptable traffic, and which connections will be blocked based on errors, key size,
and algorithms
Here are the four main things you learned in this chapter.
TLS inspection rules can match on source and destination zones and networks, users, services, and
websites.
TLS inspection exclusions are managed using web URL groups. There are two URL groups by
default, one locally managed and one Sophos managed.
TLS inspection settings are generic engine-based settings that will apply globally to all rules.
Decryption profiles contain the settings for which signing CAs to use, how to manage non-
decryptable traffic, and which connections will be blocked based on errors, key size, and
algorithms.