I’ll show how I approach inbound TLS/SSL inspection on Sophos XG and XGS firewall platforms. Short answer: Sophos inspects TLS for outbound traffic and offers a WAF/reverse proxy for inbound. It does not do inbound decryption in the same inline way that Palo Alto calls “inbound inspection”. I’ll give practical options, configuration notes, validation checks and common fixes you can apply straight away.
Start by checking what you already run on the DMZ. If you terminate TLS on a reverse proxy there, keep doing that. The Sophos Web Application Firewall is a reverse proxy that can protect web servers and apply WAF rules, but it will terminate and re‑encrypt traffic as a proxy rather than acting as an inline decryption engine. The product docs for TLS inspection and inspection rules explain Sophos’s intended model and how the firewall handles decryption for inspection and proxy modes: https://docs.sophos.com/nsg/sophos-firewall/21.5/help/en-us/webhelp/onlinehelp/AdministratorHelp/Web/HowToArticles/WebProxyDPITLSDecryption/ and https://docs.sophos.com/nsg/sophos-firewall/21.0/help/en-us/webhelp/onlinehelp/AdministratorHelp/RulesAndPolicies/SSL/TLSInspectionRules/. Read those pages first. They clarify what zones and rule types the appliance supports for TLS/SSL inspection.
My practical configuration checklist for network security and firewall configuration:
- If you want the firewall to inspect outbound HTTPS, create or import a CA on the Sophos device, enable DPI or web proxy TLS inspection and add an inspection rule that matches the source and destination traffic you want decrypted. Make sure the CA is trusted by endpoints. Use DPI mode for performance, web proxy when you need URL filtering tied to decrypted content.
- For inbound inspection, treat Sophos as a reverse proxy or place a decryption-capable proxy in front of your origin servers. If you want behaviour like Palo Alto’s inbound inspection, terminate TLS at a dedicated reverse proxy in the DMZ and let that proxy forward plain HTTP to internal services, or use the WAF feature on Sophos as the terminating proxy. Don’t try to force a TLS inspection rule with source zone set to WAN; Sophos’s inspection rules expect traffic paths suited to outbound or proxy deployments, so the UI won’t offer WAN as a source in many cases.
- For Sophos XG and XGS firewall hardware, map public IPs with DNAT to your proxy or WAF virtual server. Bind certificates to the WAF or proxy, not to a generic inspection rule. That keeps SNI, headers and client certificate flows intact when needed.
How I validate a setup and what I look for when things fail:
- Live test with a browser and curl. Use curl -vk to watch the TLS handshake from the client side. If the firewall is terminating TLS, you will see its certificate. If the origin server is terminating, you will see the origin certificate. That tells you which device is decrypting.
- Packet capture on the WAN interface is useful. Look for Client Hello and Server Hello sequences. If you see a Server Hello from the firewall, it is terminating. If you only see passthrough TLS messages, the firewall is not decrypting that flow.
- Check certificate chains on clients. If a decrypted flow shows a certificate signed by your inspection CA, a client missing that CA will show certificate errors. Install the CA on any endpoint that must trust decrypted sessions.
- If you can’t select WAN as a source zone when creating an inspection rule, that is not a bug. It is a design choice. Move the termination point to the DMZ or use the WAF as the terminating proxy.
Common problems and fixes I use:
- Clients see certificate errors: import the firewall CA into client trust stores or switch to a proxy that uses a public certificate for inbound termination.
- SNI not forwarded to origin: terminate TLS on the proxy and configure HTTP host headers to reach multiple backends. Sophos WAF has limits compared with full reverse proxies like Nginx or HAProxy.
- Performance hit with full decryption: enable DPI streaming, minimise the set of rules that require full inspection, or offload TLS to dedicated hardware/proxy.
Final takeaways. For true inbound TLS/SSL inspection like Palo Alto, terminate TLS on a dedicated reverse proxy or use Sophos WAF as a proxy. Use Sophos XG/XGS firewall TLS/SSL inspection for outbound and proxy inspection paths. Check the documentation links above before you change certificate chains or NAT rules. Make sure your DMZ design keeps termination and backend routing clear, and verify with curl and packet captures.
