Sophos XGS: How to configure SSL/TLS Inspection on Sophos XGS

Overview

The article guides to configure SSL/TLS Inspection feature on Sophos XGS, with SSL/TLS Inspection feature to help your system monitor all network traffic with Web and App using cryptographic protocols (SSL, TLS, …) that helps detect threats, viruses, ransomware transmitted over those encrypted connections and enforce secure connections between clients and servers on the internet

Diagram

Configuration steps

  • Enable SSL/TLS Inspection
  • Configure SSL/TLS Inspection
  • Create firewall rule scan HTTP and decrypted HTTPS
  • Check the network access of PC1 and PC2 when both have been added certificate
  • Check log and dashboard when both PCs have not been added certificate
  • Download Sophos certificate
  • Add Sophos certificate to PC1
  • Perform network access test of PC1 and PC2
  • Check log and dashboard

How to configure

Enable SSL/TLS Inspection

  • Log in to Sophos XGS by Admin account
  • Go to PROTECT -> Choose Rules and policies -> Choose SSL/TLS inspections rules -> Enable SSL/TLS inspection and click Add to create a new SSL/TLS rule

Configure SSL/TLS Inspection

  • Enter name SSL/TLS Inspection rule
  • In Action: Choose Decrypt
  • Tick in Log connections
  • In Decryption profile -> Click Create new
    • Enter name for Decryption profile
    • In Re-signing certificate authority -> Choose Use CAs defined in SSL/TLS settings
    • In Non-decryptable traffic: Choose Drop in all sections to prevent unencrypted traffic from entering the system
    • In Block action: Choose Reject & notify
    • Click Save
  • Turn off Exclusions by website

Create firewall rule scan HTTP and decrypted HTTPS

  • In rule LAN to WAN, choose scan HTTP and decrypted HTTPS
  • Click Save

Check the network access of PC1 and PC2 when both have been added certificate

PC1

PC2

Check log and dashboard when both PCs have not been added certificate

  • PC1 -> Traffic that cannot be decoded will be dropped -> Leads to be the web access will be dropped
  • PC2 -> Traffic that cannot be decoded will be dropped -> Leads to be the web access will be dropped
  • Dashboard

Download Sophos certificate

  • Go to SYSTEM -> Choose Certificates -> Choose Certificate authorities -> Click icon download in SecurityAppliance_SSL_CA

Add Sophos certificate to PC1 (PC1 in domain)

  • In PC1 -> On search box, enter mmc -> Click File -> Choose Add/Remove Snap-in…
  • Choose Certificates -> Click Add -> Click OK
  • In Certificate – Current User -> Go to Trusted Root Certification -> Right click in Certificate -> Choose All Tasks -> Click Import…
  • Click Next
  • Click Browse…
  • Click All files -> Choose certificate file which was downloaded before
  • Click Next
  • Click Next
  • Click Finish
  • Choose Yes
  • Click OK

Perform network access test of PC1 and PC2

  • PC1 -> After adding the certificate, you can access the web
  • PC2 -> Not add certificate -> Not access the website

Check log and dashboard

Dashboard

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.