TTechclick ⚡ XP 0% All lessons
Sophos · Next-Gen Firewall · Xstream TLS InspectionInteractive · L1 / L2 / L3

Sophos Xstream TLS 1.3 Inspection — Rules, Profiles & HTTPS Without Breakage

Almost all web traffic is encrypted, so a firewall that can't decrypt is blind to threats hiding in HTTPS. Sophos Firewall's Xstream TLS inspection opens that traffic up — natively for TLS 1.3 — scans it once for every engine, then re-encrypts it. This lesson maps the separate TLS rule table, the decryption profiles, the CA re-sign model, and exactly how to roll it out without breaking banking, updates or pinned apps.

📅 2026-06-19 · ⏱ 16 min · 5 infographics · live HTTPS demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Sophos Firewall Xstream TLS 1.3 inspection (2026): why encrypted traffic is a blind spot, the high-performance Xstream decryption engine that handles TLS 1.3 natively, the separate top-down TLS rule table, decryption profiles and the CA re-sign model — plus exclusions, certificate pinning and a safe rollout that doesn't break banking or updates.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why decrypt

Most traffic is TLS; threats hide in the encrypted blind spot.

 2

The Xstream engine

Native TLS 1.3, FastPath, a separate TLS rule table.

 3

Profiles & the CA

Re-sign model, deploy the CA, decrypt once scan many.

 4

Without breaking it

Exclusions, certificate pinning and a safe rollout.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Can a firewall scan threats inside HTTPS without decrypting it?

Answered in Why decrypt.

2. Does Xstream downgrade TLS 1.3 to 1.2 to inspect it?

Answered in The Xstream engine.

3. Why might users see certificate warnings after you turn on decryption?

Answered in Profiles & the CA.

Most engineers think…

Most people assume 'the firewall already protects us, so HTTPS is fine'. In reality, if the firewall can't decrypt, the encrypted traffic is a black box — and that's exactly where modern malware, command-and-control and data theft hide.

Sophos Firewall Xstream TLS inspection is the engine that fixes that blind spot. It decrypts traffic — natively for TLS 1.3, with no downgrade to 1.2 — using a separate top-down rule table and decryption profiles, then scans the clear stream once for IPS, anti-malware, web filtering and app control. The catch is that the firewall becomes a man-in-the-middle that re-signs certificates with its own CA, so you must deploy that CA to clients and keep an exclusion list — otherwise you trade a blind spot for a wall of certificate errors and broken apps.

① Why decrypt at all — the encrypted blind spot

The starting fact: almost all web traffic today is encrypted with TLS (HTTPS). That's great for privacy, but it means a firewall that can't decrypt only ever sees scrambled bytes. Your IPS, anti-malware and web filtering have nothing to read, so threats hidden inside HTTPS sail straight through.

Attackers know this. Malware downloads, command-and-control callbacks and data theft increasingly ride inside encrypted connections precisely because most firewalls are blind to them. So the choice is stark: either inspect the encrypted traffic, or accept that a large share of your traffic is unprotected.

That's the job of Sophos Firewall Xstream TLS inspection — it opens the encrypted stream, lets the security engines scan the clear contents, then re-encrypts it on its way to the server. The rest of this lesson is how to do that at speed, and how to do it without breaking things.

Figure 1 — The blind spot, fixed
Without inspection the firewall sees only encrypted bytes; with Xstream TLS inspection it decrypts, scans, then re-encrypts.The blind spot, fixedEncryptedHTTPS in / outBlindno engine can readDecryptXstream opens itScanIPS / AV / webRe-encrypton to the server
Without inspection the firewall sees only encrypted bytes; with Xstream TLS inspection it decrypts, scans, then re-encrypts.
Quick check · Q1 of 10 · Understand

Why is an HTTPS-blind firewall a security problem?

Correct: b. Most web traffic is TLS-encrypted. A firewall that can't decrypt only sees scrambled bytes, so IPS, anti-malware and web filtering have nothing to inspect — malware and C2 hidden in HTTPS pass straight through.
👉 So far: Most web traffic is TLS-encrypted, so a firewall that can't decrypt is blind to threats hiding in HTTPS. Xstream TLS inspection opens it, scans it, re-encrypts it.

② The Xstream TLS engine — native 1.3 and a separate rule table

Xstream TLS inspection is Sophos Firewall's high-performance decryption engine. Two things make it modern. First, it inspects TLS 1.3 natively — it does not downgrade a TLS 1.3 connection to TLS 1.2 just to read it. Second, it rides the Xstream architecture and FastPath, which can offload trusted flows so throughput stays high instead of collapsing the moment you turn decryption on.

A separate, top-down rule table

Decryption isn't a single on/off switch. TLS inspection rules live in their own rule table — much like NAT rules are separate from firewall rules — and they're evaluated top-down, first match wins. Each rule matches on source, destination, zones and users and on websites or web categories, then sets an action (Decrypt or Don't decrypt) and points to a decryption profile.

The interview line: TLS inspection is rule-driven, not global. You decrypt this traffic for these users to these sites — and explicitly leave the rest alone.

Figure 2 — Anatomy of a TLS inspection rule
Each rule in the separate TLS rule table pairs a match with an action and a decryption profile.Anatomy of a TLS inspection ruleMatchsource / dest / zones / usersWebsitesURLs and web categoriesActionDecrypt or Don't decryptProfileTLS version, re-sign, errors
Each rule in the separate TLS rule table pairs a match with an action and a decryption profile.
Xstream TLS inspection
tap to flip

Sophos Firewall's high-performance decryption engine. Inspects TLS 1.3 natively (no downgrade) and uses FastPath to keep throughput high.

📋
TLS inspection rule table
tap to flip

A separate, top-down, first-match table (like NAT rules). Each rule matches who / where / what and sets an action plus a decryption profile.

⚙️
Decryption profile
tap to flip

The 'how' on a rule: minimum TLS version, re-sign vs known-key, what to do on errors and invalid certs, and exclusions.

🔑
Firewall CA (re-sign)
tap to flip

The internal CA the firewall uses to re-sign server certs. Clients must trust it — deploy it via GPO or MDM or browsers warn.

TLS rules are their own table

In an interview, say it cleanly: TLS inspection rules are a separate, top-down, first-match table — like NAT rules — not a global on/off switch. Each rule pairs a match (source, dest, zones, users, websites) with an action (Decrypt / Don't decrypt) and a decryption profile.

Quick check · Q2 of 10 · Remember

How does Xstream TLS inspection handle TLS 1.3?

Correct: c. Xstream supports TLS 1.3 natively — it inspects the modern protocol directly rather than forcing a downgrade to 1.2, and uses the Xstream architecture / FastPath for high throughput.
👉 So far: Xstream inspects TLS 1.3 natively (no downgrade) and uses FastPath for throughput. Rules live in a separate top-down, first-match table: match + action (Decrypt / Don't decrypt) + profile.

③ Decryption profiles and the certificate (re-sign) model

A decryption profile is the 'how' attached to each rule. It sets the minimum TLS version allowed, the re-sign approach, what to do on errors or unsupported sites (block or allow), how to handle invalid or untrusted server certificates, and the exclusions. Choosing 'block on error' is safer; 'allow on error' is friendlier but leaves gaps.

How the firewall reads the traffic

To see inside, the firewall acts as a man-in-the-middle: it re-signs the real server's certificate on the fly with its own internal CA. That means clients must trust that CA — you push the firewall's CA certificate to client trust stores via GPO (Active Directory) or MDM. Skip this and every browser throws a certificate warning. For your own internal servers you can use the real certificate and key (known key / server protection) instead of re-signing.

The payoff is 'decrypt once, scan many': once a flow is decrypted, a single streaming DPI engine inspects the clear stream in one pass for IPS, anti-malware, web filtering and application control — it doesn't decrypt separately for each engine.

Figure 3 — Decrypt once, scan many
Once Xstream decrypts a flow, a single streaming DPI engine feeds every security engine in one pass.Decrypt once, scan manyDecrypted flowone streaming passIPSAnti-malware / AVWeb filteringApp controlRe-encrypt out
Once Xstream decrypts a flow, a single streaming DPI engine feeds every security engine in one pass.
Figure 4 — Re-sign vs known-key
How the firewall presents a certificate depends on whether the traffic is outbound to the internet or inbound to your own server.Re-sign vs known-keyRe-sign (outbound)Firewall CA signs a copyFor users browsing the internetClients must trust the CAPush CA via GPO / MDMKnown key (inbound)Uses the real server cert + keyFor your own internal serversNo re-sign, no warningsServer protection use case
How the firewall presents a certificate depends on whether the traffic is outbound to the internet or inbound to your own server.
Turning on decryption before pushing the CA

The number-one self-inflicted outage: enable broad decryption while the firewall CA is still missing from clients. Every HTTPS site then throws a certificate warning. Always deploy the CA to client trust stores (GPO/MDM) before you widen the decrypt scope.

▶ Watch an HTTPS site get inspected end-to-end

How a single HTTPS request is decrypted, scanned and re-encrypted. Press Play for the healthy path, then Break it to see the classic failure.

① Open HTTPSPriya's laptop opens an HTTPS site; the request hits the Sophos Firewall and matches a TLS inspection rule set to Decrypt.
② Re-signThe firewall acts as a man-in-the-middle and re-signs the server's certificate with its own CA, which the laptop trusts.
③ ScanThe decrypted stream is scanned once by the streaming DPI engine — IPS, anti-malware, web filtering and app control all in one pass.
④ Re-encryptClean traffic is re-encrypted and forwarded to the real server; the user sees a normal padlock, fully inspected.
Press Play to step through the healthy inspection path. Then press Break it.
Quick check · Q3 of 10 · Understand

After you enable decryption, why do browsers suddenly show certificate warnings?

Correct: a. To read the traffic the firewall acts as a man-in-the-middle and re-signs certs with its own CA. If that CA isn't in the client trust store, the browser doesn't trust it and warns. Deploy the CA via GPO / MDM first.
👉 So far: Profiles set TLS version, re-sign vs known-key, error and invalid-cert handling, and exclusions. Re-sign makes the firewall a man-in-the-middle, so push its CA to clients via GPO/MDM. Decrypt once, scan many.

④ Doing it without breaking things — exclusions & rollout

Decryption breaks things if you're careless, so exclusions are essential. Sites like banking, healthcare, government, software-update services and anything using certificate pinning belong on the 'Do not decrypt' list. There are two reasons: privacy and compliance (you shouldn't be reading a user's bank or medical session) and breakage — a certificate-pinned app rejects the firewall's re-signed cert and simply stops working.

A safe, staged rollout

Don't flip 'Decrypt all' on day one. The pattern that works: start with a narrow decrypt scope (a pilot group or a few categories), deploy the firewall CA to clients first, keep a maintained exclusion list, monitor TLS errors in the logs, then widen gradually. The classic failure is turning on broad decryption before the CA is pushed — instant helpdesk storm of certificate warnings.

Figure 5 — A safe rollout, not a big bang
Roll TLS inspection out in stages so you never trade a blind spot for a wall of certificate errors.A safe rollout, not a big bangPush CAto clients firstNarrow scopepilot group / few catsExcludebanking / updates /pinnedMonitorwatch TLS errorsWidenexpand gradually
Roll TLS inspection out in stages so you never trade a blind spot for a wall of certificate errors.

Priya at Sundar Logistics in Kochi faces this

The day after she switches on a broad 'Decrypt all web traffic' rule, the helpdesk is flooded: every browser shows 'Your connection is not private', and the accounts team's banking portal and a vendor's auto-updater have stopped working.

Likely cause

The firewall is re-signing every site with its own CA, but that CA was never pushed to the client machines — and certificate-pinned sites break even when users click through.

Diagnosis

Rules and policies ▸ TLS inspection rules shows one broad Decrypt rule with re-sign; the certificate warnings point to clients missing the CA, and the pinned-site failures appear in the TLS / decryption logs as handshake errors.

Rules and policies ▸ TLS inspection rules + decryption profile ▸ exclusions; Certificates ▸ CA
Fix

Push the firewall's CA certificate to all clients via GPO/MDM; narrow the decrypt scope to a pilot group; add banking, healthcare, government, software-update and pinned sites to the 'Do not decrypt' exclusion list.

Verify

Pilot browsers show a clean padlock with no warning, the banking portal and updater work again, and the TLS logs show those sites passing through un-decrypted while general web traffic is inspected.

Prove it from the TLS logs, not a hunch

Don't guess whether a site is decrypting. The TLS / decryption logs show, per connection, whether it was decrypted or excluded and any handshake error. That single read tells you if a broken app is hitting pinning or just missing the CA.

Quick check · Q4 of 10 · Apply

A vendor's auto-updater stops working the moment you decrypt its traffic. The most likely cause is…

Correct: d. Certificate-pinned apps accept only the exact certificate they shipped with. The firewall's re-signed cert is rejected and the app fails — so pinned apps and updaters must go on the 'Do not decrypt' exclusion list.
👉 So far: Exclude banking, healthcare, gov, updates and pinned apps from decryption. Roll out in stages: push CA first, narrow scope, exclude, monitor errors, then widen — never big-bang 'Decrypt all'.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

What is the core reason a firewall that can't decrypt is a problem?

Correct: b. Most web traffic is encrypted, and attackers hide malware, C2 and data theft inside HTTPS. Without decryption the security engines have nothing to read, so those threats pass straight through.
Q6 · Understand

How does Xstream TLS inspection treat TLS 1.3 connections?

Correct: b. Xstream inspects TLS 1.3 natively — no downgrade to 1.2 — and relies on the Xstream architecture and FastPath to keep throughput high while decrypting.
Q7 · Remember

Where are TLS inspection rules configured on Sophos Firewall?

Correct: a. TLS inspection rules are their own table, like NAT rules, evaluated top-down with first match winning. Each rule sets a match, an action and a decryption profile — not a single global switch.
Q8 · Apply

You want inbound inspection of your own internal web server without re-sign warnings. Which approach?

Correct: b. For your own servers you can load the real certificate and private key (known key / server protection) so the firewall inspects inbound traffic without re-signing — no man-in-the-middle warning.
Q9 · Analyze

Why is 'decrypt once, scan many' an efficiency win?

Correct: d. Once a flow is decrypted, Sophos's single streaming DPI engine inspects the clear stream in one pass for IPS, anti-malware, web filtering and app control — it doesn't decrypt separately for each engine, which keeps throughput high.
Q10 · Evaluate

What is the safest first step when rolling out TLS inspection in production?

Correct: c. Big-bang 'Decrypt all' before the CA is pushed causes a certificate-warning storm and breaks pinned apps. Push the CA first, decrypt a narrow pilot scope with a good exclusion list, monitor TLS errors, then widen gradually.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why does turning on Sophos TLS inspection sometimes flood the helpdesk with certificate warnings, and what's the fix? Then compare with the expert version.

Expert version: Because to read encrypted traffic the firewall acts as a man-in-the-middle and re-signs every site's certificate with its own internal CA. If that CA hasn't been deployed to the client machines' trust stores, the browser doesn't trust the re-signed cert and shows 'Your connection is not private' on every HTTPS site. The fix is to push the firewall's CA certificate to all clients via GPO or MDM before widening the decrypt scope — and to keep banking, healthcare, government, update and certificate-pinned sites on the 'Do not decrypt' exclusion list so pinned apps don't break. Roll it out in stages, not as a big-bang 'Decrypt all'.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Xstream TLS inspection
Sophos Firewall's high-performance decryption engine that opens HTTPS so the security engines can scan the clear traffic, then re-encrypts it.
TLS 1.3 native inspection
Inspecting the modern TLS 1.3 protocol directly, without downgrading the connection to TLS 1.2 to read it.
TLS inspection rule table
A separate, top-down, first-match table of rules that decide whether a connection is decrypted, each with an action and a decryption profile.
Decryption profile
Settings on a rule: minimum TLS version, re-sign vs known-key, error and invalid-cert handling, and exclusions.
Re-sign (man-in-the-middle)
The firewall presents a copy of the server's certificate signed by its own CA so it can read and re-encrypt the traffic.
Firewall CA
The internal certificate authority the firewall uses to re-sign certs; clients must trust it (push via GPO/MDM) to avoid warnings.
Known key / server protection
Using an internal server's real certificate and private key instead of re-signing, so inbound inspection works without warnings.
Certificate pinning
An app that accepts only one specific certificate; a re-signed cert is rejected, so pinned apps must be excluded from decryption.
TLS exclusion list ('Do not decrypt')
Sites bypassed from decryption for privacy/compliance or to prevent breakage — banking, healthcare, government, updates and pinned apps.

📚 Sources

  1. Sophos Firewall — Xstream TLS inspection overview and configuration. docs.sophos.com
  2. Sophos Firewall — TLS inspection rules: a separate, top-down rule table. docs.sophos.com
  3. Sophos Firewall — Decryption profiles (TLS version, re-sign / known key, error handling, exclusions). docs.sophos.com
  4. Sophos Firewall — Deploy the firewall certificate authority to endpoints via GPO / MDM. docs.sophos.com
  5. Sophos — Xstream architecture & native TLS 1.3 inspection performance. sophos.com
  6. Sophos Community — TLS inspection exclusions and certificate pinning best practice. community.sophos.com

What's next?

Now the firewall can see inside HTTPS — next, go deep on what it does with that visibility: IPS signatures, Advanced Threat Protection and Zero-Day Protection sandboxing that detonates unknown files before they reach a user.

Next · All interview lessons → Practice on exam.techclick.in →