Release notes:
XG Firewall v18 GA-Build339 Enhancements:
This version adds v17.5 MR10 to v18.0 GA-Build339 upgrade and config migration support.
This version introduces the ability to disable SSL/TLS inspection rules, with a new toggle switch on Rules and Policies > SSL/TLS inspection rules. This is set to ‘Off’ by default for customers upgrading from SFOS version 17.5, to avoid potential behavioral changes on upgrade. You must turn it on to enable the new Xstream SSL/TLS decryption functionality, including the SSL/TLS traffic statistics son Control Center.
When SSL/TLS inspection is set to ‘On:
- All traffic will be inspected to determine if it is SSL/TLS or not.
- SSL/TLS decryption rules will be applied and connections will be logged as required by the rules.
- SSL/TLS traffic statistics will be updated and shown on the Control Center.
When SSL/TLS inspection is set to ‘Off’:
- No SSL/TLS decryption rules are evaluated or applied.
- No traffic is decrypted by the DPI Engine. Traffic handled by the Web Proxy will still be decrypted, based on firewall rule configuration.
- No SSL/TLS statistics are gathered. The statistics shown on the Control Center will no longer update.
- For traffic matching firewall rules that have a web policy set, and that are not configured to use the web proxy, the DPI Engine still uses SSL/TLS inspection to enforce policy on non-decrypted HTTPS connections.
There is an additional control in Rules and Policies > SSL/TLS inspection rules > SSL/TLS inspection settings > Advanced settings labeled ‘SSL Engine’. If this is set to ‘Disable’, the SSL/TLS inspection engine will not be used at all. This option is only intended to be used for troubleshooting as directed by Sophos Support. When ‘SSL Engine’ is set to ‘Disable’:
- No SSL/TLS decryption rules will be evaluated or applied
- No traffic will be decrypted (unless it is being handled by the Web Proxy, based on firewall rule configuration)
- No SSL/TLS statistics will be gathered. The statistics shown on the Control Center will no longer update.
- The DPI Engine will be unable to apply web policy to any HTTPS traffic. This applies to traffic matching a firewall rule that has a Web policy set, and that is not using the Web proxy.
Plus, Several important issues have been resolved:
- NC-54339 [Config Migration Framework] v17.5 MR-10 to v18.0 GA migration support
- NC-56550 [Policy Routing] SD-WAN policy routing screen smudge with blue strip
- NC-56201 [RED] Backup/Restore failed from v17.5 MR to v18 with specific RED configuration
- NC-56397 [Web] User getting certificate error