Skip to content
Avanet

Roll Out Sophos Firewall TLS Inspection Properly

Sophos Firewall

A large share of today’s web traffic is encrypted. Without TLS Inspection, the firewall often sees only the destination IP, SNI, certificate information and metadata, but not the actual content of the connection.

This is a security problem: many protection functions cannot inspect encrypted payloads, or can do so only with significant limitations. Malware scanning, Web Protection, zero-day analysis, content scanning and parts of application or threat detection become truly effective only when the firewall can decrypt TLS traffic, inspect it and then encrypt it again. IPS and NDR also benefit from more clear-text visibility. Without decryption, many signals remain limited to metadata, certificates, IPs, domains or protocol information.

TLS Inspection is not a feature that should be enabled for all users without preparation. It can disrupt applications, raise data protection questions and put more load on the firewall. That is why TLS Inspection should be introduced in a planned, gradual way with a clear exclusion strategy.

Licence and requirements

For TLS Inspection and meaningful analysis of decrypted traffic, the correct protection licences are required.

The most important modules are:

  • Web Protection: Includes Web Security, Web Control, Application Control and Web Malware Protection.
  • Network Protection: Includes IPS, Security Heartbeat and other network protection functions.
  • Zero-Day Protection: Becomes important when files or downloads should additionally be analysed using machine learning or sandboxing.

Web Protection is included in the Standard Protection licence bundle. Xstream Protection and Epic Protection also include Web Protection and additional protection modules. Sophos describes the licence modules in the official overview: Sophos Firewall licensing info.

Before the rollout, check the following:

  • Current Sophos Firewall firmware is installed.
  • Web Protection is licensed.
  • The firewall CA certificate is distributed to clients.
  • A test group or test network is defined.
  • Rollback is documented.
  • The exception process is clear.
  • Logging is enabled.

If the CA certificate has not yet been distributed, see Install Sophos Firewall CA certificate for HTTPS scanning.

⚠️ TLS Inspection can disrupt applications that use certificate pinning or perform their own certificate checks. Always start with a test group and not with all users at once.

DPI or Web Proxy?

Sophos Firewall can implement HTTPS decryption in two operating modes:

  • DPI Mode: The firewall rule uses the DPI engine. SSL/TLS Inspection Rules under Rules and policies > SSL/TLS inspection rules decide what is decrypted.
  • Web Proxy Mode: The firewall rule uses the Web Proxy. HTTPS decryption is then controlled through the Web Proxy settings and Web Policies.

Modern setups often use DPI Mode. The firewall rule is important here:

  1. Open Rules and policies > Firewall rules.
  2. Edit the affected LAN-to-WAN rule.
  3. Open Security features > Web filtering.
  4. Enable the appropriate Web Policy.
  5. Enable Scan HTTP and decrypted HTTPS.
  6. Leave Use web proxy instead of DPI engine disabled if the SSL/TLS Inspection Rules should apply.

If Use web proxy instead of DPI engine is enabled, web traffic goes through the Web Proxy. HTTP/HTTPS then follows different decryption settings than DPI-based SSL/TLS Inspection Rules.

Sophos explains this difference in the guide Configure SSL/TLS inspection and decryption.

Which traffic should be decrypted?

You should not blindly decrypt everything. Good TLS Inspection starts with clear goals.

Good first targets:

  • LAN > WAN: classic user web traffic to the internet.
  • Wi-Fi > WAN: managed clients on the company Wi-Fi.
  • VPN > WAN: Remote Access users if their internet traffic passes through the firewall.
  • LAN > DMZ: internal access to your own servers if security inspection is required and certificates are distributed correctly.

Handle with care:

  • Banking, healthcare, government and highly sensitive portals.
  • Password managers and identity providers.
  • Operating system and vendor update services.
  • Mobile apps and Android devices.
  • Applications with certificate pinning.
  • Voice, video and collaboration services if decryption makes them unstable.

For server publishing from the internet into the DMZ, TLS Inspection is not automatically the best solution. For web servers, Web Server Protection / WAF or a reverse proxy is often more suitable.

Rollout strategy

A staged approach has proven effective:

  1. Distribute the CA certificate.
  2. Prepare Web Policy and firewall rule.
  3. Select a Decryption Profile.
  4. Define a small test group.
  5. Enable the SSL/TLS Inspection Rule only for this group.
  6. Monitor Control Center and Log Viewer.
  7. Analyse errors and document exclusions cleanly.
  8. Gradually expand to further user groups.

This reveals early which applications cause problems without affecting the entire business.

Understand Decryption Profiles

A Decryption Profile defines how strictly the firewall handles TLS connections. Profiles are found under Profiles > Decryption profiles.

A Decryption Profile answers questions such as:

  • What happens with invalid or untrusted certificates?
  • Are old TLS versions blocked?
  • Are insecure cipher suites blocked?
  • What happens with SSL compression?
  • What happens with unrecognised cipher suites?
  • What happens if the firewall cannot decrypt a connection?
  • Which CA is used for re-signing?

For an initial rollout, a more compatible profile is useful, such as Maximum compatibility or a custom conservative profile. For production security rules, a stricter profile such as Block insecure SSL can be used later.

Important: The Decryption Profile is selected directly in the SSL/TLS Inspection Rule. Sophos notes that the profile can override the global SSL/TLS inspection settings for this rule.

Create an SSL/TLS Inspection Rule

The menu path is Rules and policies > SSL/TLS inspection rules.

A first rule should be as targeted as possible:

  • Action: Decrypt
  • Decryption profile: conservative test profile
  • Source zones: LAN or test network
  • Source networks and devices: test group or test subnet
  • Destination zones: usually WAN
  • Destination networks: initially Any
  • Services: often Any for the start, because SSL/TLS can also be detected on other TCP ports
  • Websites / Categories: optionally restrict

Sophos explains that SSL/TLS Inspection Rules can detect SSL/TLS connections on any TCP port. The rules are processed from top to bottom. Specific rules should therefore be placed above general rules.

Official documentation: SSL/TLS inspection rules.

Exclusion Lists

Not all TLS traffic should be decrypted. Sophos uses Exclusion Rules and TLS Exclusion Lists for this.

Local TLS Exclusion List

The Local TLS exclusion list is the local exclusion list on the firewall. It is empty by default and can be populated through troubleshooting in Control Center or Log Viewer.

It can also be edited manually:

Web > URL groups > Local TLS exclusion list

This list is useful for domains that cause issues in your own environment, for example because of certificate pinning or special client applications.

Managed TLS Exclusion List

The Managed TLS exclusion list contains Sophos-managed exclusions for known problematic services. This list is updated through firmware updates.

Typical examples are services where TLS Inspection is known to cause problems or is technically not useful.

Custom Exclusion Rules

You can also create custom SSL/TLS Inspection Rules with Action > Don’t decrypt. These should sit directly below the default exclusion rule and include only traffic that really should not be decrypted.

Possible criteria:

  • Web categories
  • URL Groups
  • Users and groups
  • Source and destination networks
  • IP addresses
  • Services

Exclusions should be documented: domain, reason, affected users, date and review date.

Monitor the dashboard widget

In Control Center, there is a widget for SSL/TLS Inspection. This widget is very helpful for monitoring rollout and errors.

It shows, among other things:

  • Share of decrypted SSL/TLS sessions.
  • Share of undecrypted SSL/TLS sessions.
  • Other traffic.
  • Errors from recent days.
  • Top websites or top users with problems.
  • Decryption peak and decryption limit.
Sophos Firewall - SSL/TLS Inspection widget with decrypted and undecrypted traffic
Sophos Firewall - Control Center > SSL/TLS Inspection widget

If many errors appear in the widget, do not immediately disable all TLS Inspection. It is better to use Fix errors to examine the affected destinations and create clean exclusions if needed.

Analyse Log Viewer

In Log Viewer, select the SSL/TLS inspection filter. This shows what happened to individual connections.

Sophos Firewall - Log Viewer with SSL/TLS Inspection events
Sophos Firewall - Log Viewer > SSL/TLS inspection

The colours help with the first assessment:

  • Red: Error. The connection could not be decrypted or processed correctly. Check certificate errors, cipher suites, TLS versions or incompatible applications.
  • Green: Do not decrypt. The connection was intentionally not decrypted, for example because of an Exclusion Rule or a TLS Exclusion List.
  • Blue: Decrypt. The connection was decrypted and then forwarded encrypted again.

The log also shows Decryption Profile, source IP, destination IP, user, category and destination domain. This makes it possible to check whether the correct rule matched and whether an exclusion really applies.

Tests

After enabling TLS Inspection, check the following:

  • Is the Sophos CA certificate used in the browser?
  • Do important business applications work?
  • Are there TLS errors in Log Viewer?
  • Are malware or Web Policy events detected correctly?
  • Is traffic shown as decrypted in the Control Center widget?
  • Does firewall performance remain within the expected range?
  • Are there complaints from test users?

For troubleshooting, Log Viewer, Policy Test, the browser certificate view, Packet Capture and the SSL/TLS Inspection widget are especially helpful.

Rollback

If issues occur, a clear rollback should be possible:

  • Disable the SSL/TLS Inspection Rule.
  • Remove the test group from the rule.
  • Relax the Decryption Profile.
  • Add an exclusion for the affected domain or application.
  • Switch the firewall rule back to Web Proxy if this is intentionally required.

Sophos notes that SSL/TLS Inspection Rules and the SSL/TLS engine must be visibly active for Control Center and Log Viewer to show the details. If you disable SSL/TLS Inspection for troubleshooting, enable it again afterwards.

Recommendation

TLS Inspection is not a one-click project. Introduced properly, however, it provides significantly more visibility and improves the effectiveness of Web Protection, malware scanning, IPS, NDR and zero-day functions.

For production environments, we recommend:

  • Start with LAN-to-WAN for a small test group.
  • Distribute the CA certificate cleanly.
  • Choose DPI or Web Proxy mode deliberately.
  • Do not start with a Decryption Profile that is too aggressive.
  • Monitor Log Viewer and the dashboard daily.
  • Document exclusions and review them regularly.
  • Roll out further only after successful tests.