{"id":1635,"date":"2020-07-29T06:00:16","date_gmt":"2020-07-29T06:00:16","guid":{"rendered":"https:\/\/partnernews.sophos.com\/en-us\/?p=1635"},"modified":"2020-08-05T12:53:43","modified_gmt":"2020-08-05T12:53:43","slug":"making-the-most-of-xg-firewall-v18-part-2","status":"publish","type":"post","link":"https:\/\/partnernews.sophos.com\/en-us\/2020\/07\/products\/making-the-most-of-xg-firewall-v18-part-2\/","title":{"rendered":"Making the Most of XG Firewall v18 \u2013 Part 2"},"content":{"rendered":"<p>Network traffic encryption levels continue to steadily increase.\u00a0 In the last year, the percentage of pages loaded over HTTPS as reported by Google has increased from 82% to 87% on the Windows platform. It\u2019s even higher on Macs at 93%. At this rate, we are not far away from a 100% TLS encrypted Internet.<\/p>\n<p>In this second in a series of articles on making the most of the great new features in XG Firewall v18, we\u2019re going to specifically focus on resources available to you in order to help you and your customers make the most of the new Xstream TLS 1.3 inspection solution in XG Firewall v18.<\/p>\n<h2><strong><br \/>\n<\/strong>Xstream TLS Inspection<\/h2>\n<p>In our last article, we covered the <a href=\"https:\/\/partnernews.sophos.com\/en-us\/2020\/07\/products\/making-the-most-of-xg-firewall-v18\/\">Xstream Architecture and the new Xstream DPI engine<\/a> in XG Firewall v18.\u00a0 The new TLS Inspection solution is a key component of the new architecture and provides decryption for TLS\/SSL encrypted traffic with native support for the latest TLS 1.3 standard.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter wp-image-1638 size-large\" src=\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/xstream-tls-inspection.png?w=640\" alt=\"\" width=\"640\" height=\"339\" srcset=\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/xstream-tls-inspection.png 936w, https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/xstream-tls-inspection.png?resize=300,159 300w, https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/xstream-tls-inspection.png?resize=768,407 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>With most traffic flows transiting the firewall now encrypted, TLS inspection is absolutely critical to opening up this enormous blind spot to enable the firewall to do its job and inspect content coming into the network. As we will discuss in our next article in this series, the DPI engine can be extremely effective at identifying new zero-day variants of Ransomware and other threats, but only if it\u2019s able to inspect the traffic &#8211; unencrypted.<\/p>\n<h2><strong><br \/>\n<\/strong>How it Works<\/h2>\n<p>Encrypted traffic flows destined to be examined by the new DPI engine are passed to the TLS inspection engine for decrypt before being inspected. After inspection, the flow is re-encrypted and sent on to its destination. If you\u2019re interested in learning more about how TLS encryption and inspection works, and why it\u2019s important, I suggest reviewing these two great assets on the topic:<\/p>\n<ul>\n<li><a href=\"https:\/\/www.sophos.com\/en-us\/medialibrary\/Gated-Assets\/white-papers\/sophos-encryption-firewall-wp.pdf\">TLS Inspection White Paper<\/a><\/li>\n<li><a href=\"https:\/\/community.sophos.com\/products\/xg-firewall\/f\/recommended-reads\/121482\/https-decrypt-and-scan-faq\">HTTPS Decrypt FAQ<\/a><\/li>\n<\/ul>\n<p>The new Xstream TLS Inspection engine in XG Firewall v18 offers a number of compelling benefits that make it the ideal solution for today\u2019s modern encrypted internet:<\/p>\n<ul>\n<li>High performance \u2013 with high connection capacity<\/li>\n<li>Unmatched visibility into encrypted traffic flows and surfacing errors<\/li>\n<li>Easy tools to deal with errors and handle exceptions with just a few clicks<\/li>\n<li>Support for TLS 1.3 without downgrading<\/li>\n<li>Support for all modern cipher suites with robust certificate validation<\/li>\n<li>Inspection of all traffic, being application and port agnostic<\/li>\n<li>Powerful and flexibility policy tools enabling the perfect balance of performance, privacy, and protection<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Getting Started with TLS Inspection<\/h2>\n<p>As we mentioned in the last article, taking advantage of the new TLS inspection engine in XG Firewall v18 is super easy. It essentially requires checking one box in the firewall to activate it and then creating a rule on the new SSL\/TLS Inspection Rules tab as shown below.<\/p>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"framed-image aligncenter wp-image-1639 size-large\" src=\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/getting-started-with-tls-inspection.png?w=640\" alt=\"\" width=\"640\" height=\"362\" srcset=\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/getting-started-with-tls-inspection.png 936w, https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/getting-started-with-tls-inspection.png?resize=300,170 300w, https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/getting-started-with-tls-inspection.png?resize=768,435 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<p>For a quick 5 minute overview of how to create SSL\/TLS inspection rules, watch this short How-to video:<\/p>\n<p><iframe loading=\"lazy\" src=\"https:\/\/player.vimeo.com\/video\/373969240\" width=\"640\" height=\"360\" frameborder=\"0\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<p>For a detailed explanation and step by step guide for creating SSL\/TLS inspection rules and decryption profiles, check out the online documentation:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/18.0\/Help\/en-us\/webhelp\/onlinehelp\/nsg\/sfos\/tasks\/FirewallSSLTLSRuleAdd.html\">SSL\/TLS Inspection Rules<\/a><\/li>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/18.0\/Help\/en-us\/webhelp\/onlinehelp\/nsg\/sfos\/tasks\/DecryptionProfileAdd.html\">Decryption Profiles<\/a><\/li>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/18.0\/Help\/en-us\/webhelp\/onlinehelp\/nsg\/sfos\/concepts\/FirewallSSLTLSSettings.html\">SSL\/TLS Inspection Settings<\/a><\/li>\n<li><a href=\"https:\/\/community.sophos.com\/kb\/en-us\/123048\">Deploying the SSL CA certificate<\/a><\/li>\n<\/ul>\n<p>It is recommended that customers start gradually with TLS encryption, with a limited sub-estate of their network or a few test systems. This will allow them to build expertise with the new TLS inspection solution and explore the new rules, logging, reporting, and error-handling options.<\/p>\n<p>Not all applications and servers fully and properly support TLS inspection, so we advise administrators to monitor the Control Center for errors and take advantage of the convenient built-in tools to exclude problematic sites or services. XG Firewall comes with two pre-packaged TLS inspection rules out-of-the-box that make exclusions easy. By default, they exclude trusted domains known to be incompatible with TLS decryption such as icloud, some Microsoft domains, and others. Administrators can easily customize these rules directly through the widget on the Control Center as issues arise, or through updating those exclusion rules directly.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"framed-image aligncenter wp-image-1640 size-large\" src=\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/xg-control-center.png?w=640\" alt=\"\" width=\"640\" height=\"468\" srcset=\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/xg-control-center.png 936w, https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/xg-control-center.png?resize=300,219 300w, https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/xg-control-center.png?resize=768,561 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<h6 style=\"text-align: center;\"><em>The new widget on the Control Center provides at-a-glance insights<br \/>\ninto your encrypted traffic flows and any issues.<\/em><\/h6>\n<p>&nbsp;<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"framed-image aligncenter wp-image-1641 size-large\" src=\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/xg-control-center-1.png?w=640\" alt=\"\" width=\"640\" height=\"352\" srcset=\"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/xg-control-center-1.png 788w, https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/xg-control-center-1.png?resize=300,165 300w, https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/07\/xg-control-center-1.png?resize=768,423 768w\" sizes=\"auto, (max-width: 640px) 100vw, 640px\" \/><\/p>\n<h6 style=\"text-align: center;\"><em>Drill down to identify the cause of issues and fix them with just a few clicks.<\/em><\/h6>\n<p>&nbsp;<\/p>\n<p>Once you and your customers are comfortable with the DPI engine and TLS inspection, we recommend applying it more broadly across their networks. When you\u2019re ready for broader TLS inspection and wish to push the CA certificate out to more systems, we recommend using the wizard built into the Microsoft Active Directory Group Policy Management tools to make this task quick and easy.<\/p>\n<p>As you roll-out TLS inspection more broadly, carefully monitor the firewall system performance metrics to ensure the hardware is not becoming a bottleneck. While the Xstream Architecture in XG Firewall v18 offers tremendous performance gains for TLS inspection, going from inspecting 0% of encrypted traffic to 80-90% of your TLS traffic may have an impact on performance depending on your firewalls normal load. If the firewall could benefit from some extra headroom, consider a hardware refresh to a current higher capacity model. It\u2019s definitely not worth taking the risk to NOT inspect TLS traffic given the rate at which hackers and attackers are <a href=\"https:\/\/www.sophos.com\/en-us\/medialibrary\/Gated-Assets\/white-papers\/sophos-encryption-firewall-wp.pdf\">utilizing this enormous blind spot to their advantage<\/a>.<\/p>\n<p>Here\u2019s a summary of the resources available to help make the most of the new features in XG Firewall v18 including Xstream TLS Inspection:<\/p>\n<ul>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/18.0\/Help\/en-us\/webhelp\/startup\/nsg\/sfos\/concepts\/ControlCenterOverview.html\">XG Firewall getting started guide<\/a><\/li>\n<li><a href=\"https:\/\/docs.sophos.com\/nsg\/sophos-firewall\/18.0\/Help\/en-us\/webhelp\/onlinehelp\/index.html\">Full online XG Firewall documentation<\/a><\/li>\n<li><a href=\"https:\/\/www.sophos.com\/en-us\/support\/products\/xg-firewall\/how-to-library.aspx#newVersion\">How-to videos on what\u2019s new in v18<\/a><\/li>\n<li><a href=\"https:\/\/community.sophos.com\/products\/xg-firewall\/f\/recommended-reads\/121482\/https-decrypt-and-scan-faq\">In-depth FAQ on HTTPS decryption<\/a><\/li>\n<li><a href=\"https:\/\/community.sophos.com\/products\/xg-firewall\/f\/recommended-reads\">A full list of recommended community articles on v18<\/a><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h2>Selling XG Firewall<\/h2>\n<p>On the Sophos partner portal, we provide you with a wealth of\u00a0<a href=\"https:\/\/partners.sophos.com\/prm\/English\/s\/assets?collectionId=10929\" target=\"_blank\" rel=\"noopener noreferrer\">sales assets<\/a>. You may filter the list of assets by selecting a category to narrow down the results. And don\u2019t forget to check whether there is a\u00a0<a href=\"https:\/\/partners.sophos.com\/prm\/English\/s\/assets?collectionId=10956\" target=\"_blank\" rel=\"noopener noreferrer\">sales promotion<\/a>\u00a0available for your region. It\u2019s worth checking back from time to time to make sure you\u2019re not missing out on a great opportunity!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Xstream TLS Inspection for a modern encrypted Internet<\/p>\n","protected":false},"author":19,"featured_media":300000607,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"advanced_seo_description":"","jetpack_seo_html_title":"","jetpack_seo_noindex":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[2],"tags":[38],"coauthors":[58],"class_list":["post-1635","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-products","tag-xg-firewall"],"jetpack_featured_media_url":"https:\/\/partnernews.sophos.com\/en-us\/wp-content\/uploads\/sites\/3\/2020\/02\/xg-firewall-v18-1600x-960-horizontal.jpg","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts\/1635","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/users\/19"}],"replies":[{"embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/comments?post=1635"}],"version-history":[{"count":11,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts\/1635\/revisions"}],"predecessor-version":[{"id":1695,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/posts\/1635\/revisions\/1695"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/media?parent=1635"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/categories?post=1635"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/tags?post=1635"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/partnernews.sophos.com\/en-us\/wp-json\/wp\/v2\/coauthors?post=1635"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}