Sophos XG v18: How to configure SSL/TLS Inspection on Sophos XG firewall version 18

Table of lists

  1. Overview
  2. Diagram
  3. Deployment situation
  4. How to configure
  5. Testing with 2 PC
  6. Result


The article instructs you to configure the SSL / TLS Inspection feature on Sophos XG v18 devices, with the SSL / TLS Inspection feature that helps your system monitor the enterprise’s network operations with the Web and the application encrypted on the Internet. That helps detect threats, viruses, and ransomware through encrypted protocols that other firewall devices cannot detect.


Deployment situation

Enable the SSL / TLS Inspection rule and configure the HTTP scan policy and decrypt HTTPS on the Sophos XG firewall device

With PC1 we will add Sophos certificate, to check if PC1 has added Sophos certificate, the network traffic of PC1 is decrypted.

On PC2 we will not add Sophos certificate, to check that PC2 will drop traffic that Sophos cannot decrypt.

Mobile will not add Sophos certificate, to check the mobile device will drop traffic that Sophos cannot decrypt.

How to configure

  • Log in to Sophos XG by Admin account
  • Go to PROTECT -> Choose Rules and policies -> Go to SSL/TLS inspection rules -> Enable SSL/TLS inspection and click Add to create 1 SSL/TLS Inspection rule
  • Enter name for SSL/TLS Inspection Rule
  • In Action: Choose Decrypt
  • Tick in Log connections
  • In Decryption profile -> Click Create new
    • Enter name for Decryption profile
    • In Re-signing certificate authority -> Choose Use CAs defined in SSL/TLS settings
    • In Non-decryptable traffic: Choose Drop in all items to prevent undecrypted traffic form going in the system
    • In Block action -> Choose Reject & notify

-> Click Save

  • In Source zones: Choose LAN
  • In Source networkd and devices: Choose Any
  • In Users and groups: Choose Anybody
  • In Destination zones: Choose WAN
  • In Destination networks: Choose Any
  • In Services: Choose Any
  • In Categorites and websites: Choose Any

-> Click Save

  • Go to Firewall rules -> Choose LAN to WAN policy -> In Web filtering, choose Scan HTTP and devcrypted HTTPS

Testing with 2 PC

After create policy SSL/TLS Inspecti

Both 2 PC cannot access Web

Add Sophos certificate on PC1

  • Go to Certificates -> Choose Certificate authorities ->Click Download icon on SecurityAppliance_SSL_CA
  • On PC1 add the downloaded certificate -> On the search bar, type mmc -> Click File -> Select Add/Remove Snap-in…
  • Choose Certificate -> Click Add -> Choose Computer account if the computer uses Workgroup or My user account if the computer uses Domain
  • Choose Local computer -> Click Finish
  • In Certificates -> Go to Trusted Root Certificates -> Choose Certificates -> Right click choose All Tasks -> Click Import -> Search to where to save the downloaded Sophos Certificate
  • After add certificate


After add certificate for PC1

PC1 has accessed the web normally

PC2 still cannot access the web

Check log



Be the first to comment

Leave a Reply

Your email address will not be published.


This site uses Akismet to reduce spam. Learn how your comment data is processed.