Skip to content
Click here to open the documentation of locally-managed switches, including the CLI and API guides.

Page permalink

Always use the following permalink when referencing this page. It will remain unchanged in future help versions.

https://docs.sophos.com/central/customer/help/en-us/index.html?contextId=switch-exclusions

SSL / TLS exclusions required for registration with Sophos Central

Sophos Switch devices try to register with Sophos Central the first time they start.

For this purpose, they contact the following FQDNs:

  • sophos.jfrog.io
  • jfrog-prod-use1-shared-virginia-main.s3.amazonaws.com

When the connection to sophos.jfrog.io is blocked, the switch can't register itself with Sophos Central.

When the connection to jfrog-prod-use1-shared-virginia-main.s3.amazonaws.com is blocked, the switch can't verify that the latest firmware is installed.

When the switch can't access either of these URLs the following log entry is shown on the Sophos switch:

DOWNLOADER    error    Failed to download the package. HTTP: 000

To add exclusions in Sophos Firewall, do as follows:

  1. Connect to your firewall.
  2. Go to Web > URL groups.
  3. Click Add.
  4. Enter a URL group name.

  5. For Domain name to match, add the following domains:

    • *.sophos.com
    • sophos.jfrog.io
    • jfrog-prod-use1-shared-virginia-main.s3.amazonaws.com

  6. Click Save.

  7. Go to Rules and policies > SSL/TLS inspection rules.
  8. Find and edit the built-in rule Exclusions by website.
  9. Under Categories and websites, click Add new item.
  10. Search for the URL group name you created and select it.
  11. Click Apply 1 selected items.
  12. Click Save.

Non-Sophos Firewall OS devices

Refer to your firewall's documentation on how to exclude traffic from inspection.