-
Products
-
Gen 7 Firewalls
SonicWall's Gen 7 platform-ready firewalls offer performance with stability and superior threat protection — all at an industry-leading TCO.
Read More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
How to block OpenDoor proxy using App Rules and Client DPI-SSL
06/05/2023 
337 People found this article helpful
472,831 Views
Description
OpenDoor is a proxy application for Apple iPad, iPhone and iPad. OpenDoor allows users to bypass firewall restrictions and browse the Internet freely. It is a browser based proxy using HTTPS to establish connections.
This article describes how to block OpenDoor using App Rules (Application Firewall) with Client DPI-SSL enabled.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Here's how to block OpenDoor using App Rules:
- Login to the Firewall management,then navigate to Object | Match Objects | Match Object
- Click on Add New Match Object to open the Add/Edit Match Object window.
- Under Object Name, enter a name for this Match Object.
- Under Match Object Type, select Custom Object from the drop-down.
- Set Match Type to Exact Match (default).
- Set Input Representation to Hexadecimal.
- Enter the following hexadecimal values under Content and click on Add after each value:
6170690b637269747465726369736d03636f6d (hex for api.crittercism.com)
6F70656E646F6F72 (hex for opendoor)
637269747465726369736d2e636f6d (hex for crittercism.com)
6f70656e646f6f726170702e636f6d ((hex for opendoorapp.com) - Click OK to save.
- Navigate to the Policy | Rules and Policy | App rules page and create the following App Rule referencing the above Match Object. Make sure Connection Side and Direction are set to Both.
- On the App control page enable check box Enable App Rules.
Enabling Client DPI-SSL
Note: Before enabling Client DPI-SSL, administrators must be aware that Client DPI-SSL will proxy all outgoing SSL connections. To this end, SonicWall will re-sign the SSL certificates passing to hosts. This in turn will trigger certificate errors in the browsers. To avoid these errors, import the SonicWall DPI-SSL CA certificate as a trusted Root CA into the browser's (or the computer's) certificate store. For more information, see: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group Policy
- Navigate to the Policy | DPI-SSL | Client SSL page.
- Enable check box Enable SSL Client Inspection.
- Enable check box Intrusion Prevention.
- Click on Accept at the top to save the changes.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Here's how to block OpenDoor using App Rules:
- Login to Firewall management, then navigate to Manage | Object | Match Objects.
- Click on Add New Match Object to open the Add/Edit Match Object window.
- Under Object Name, enter a name for this Match Object.
- Under Match Object Type, select Custom Object from the drop-down.
- Set Match Type to Exact Match (default).
- Set Input Representation to Hexadecimal.
- Enter the following hexadecimal values under Content and click on Add after each value:6170690b637269747465726369736d03636f6d (hex for api.crittercism.com)
6F70656E646F6F72 (hex for opendoor)
637269747465726369736d2e636f6d (hex for crittercism.com)
6f70656e646f6f726170702e636f6d ((hex for opendoorapp.com) - Click OK to save.
9.Navigate to the Manage| Rules | App Rules page and create the following App Rule referencing the above Match Object. Make sure Connection Side and Direction are set to Both.
10.On the App Rules page enable check box Enable App Rules.
Enabling Client DPI-SSL
Note: Before enabling Client DPI-SSL, administrators must be aware that Client DPI-SSL will proxy all outgoing SSL connections. To this end, SonicWall will re-sign the SSL certificates passing to hosts. This in turn will trigger certificate errors in the browsers. To avoid these errors, import the SonicWall DPI-SSL CA certificate as a trusted Root CA into the browser's (or the computer's) certificate store. For more information, see: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group Policy
- Navigate to the DPI-SSL | Client SSL page.
- Enable check box Enable SSL Client Inspection.
- Enable check box Intrusion Prevention.
- Click on Accept at the top to save the changes.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Here's how to block OpenDoor using App Rules:
- Go to Firewall | Match Objects.
- Click on Add New Match Object to open the Add/Edit Match Object window.
- Under Object Name, enter a name for this Match Object.
- Under Match Object Type, select Custom Object from the drop-down.
- Set Match Type to Exact Match (default).
- Set Input Representation to Hexadecimal.
- Enter the following hexadecimal values under Content and click on Add after each value:
- 6170690b637269747465726369736d03636f6d (hex for api.crittercism.com)
- 6F70656E646F6F72 (hex for opendoor)
- 637269747465726369736d2e636f6d (hex for crittercism.com)
- 6f70656e646f6f726170702e636f6d ((hex for opendoorapp.com)
- Click OK to save.
- Navigate to the Firewall | App Rules page and create the following App Rule referencing the above Match Object. Make sure Connection Side and Direction are set to Both.
- On the App Rules page enable check box Enable App Rules.
Enabling Client DPI-SSL
Note: Before enabling Client DPI-SSL, administrators must be aware that Client DPI-SSL will proxy all outgoing SSL connections. To this end, SonicWall will re-sign the SSL certificates passing to hosts. This in turn will trigger certificate errors in the browsers. To avoid these errors, import the SonicWall DPI-SSL CA certificate as a trusted Root CA into the browser's (or the computer's) certificate store. For more information, see: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group Policy
- Navigate to the DPI-SSL | Client SSL page.
- Enable check box Enable SSL Client Inspection.
- Enable check box Intrusion Prevention.
- Click on Accept at the top to save the changes.
Testing
Test by accessing a website in the OpenDoor browser.
Related Articles
- How to access a more specific network over VPN tunnel while having another Route All VPN policy
- How to limit bandwidth usage when playing YouTube videos using App Rules
- SonicWall TZ80 In-Product settings migration
Categories
- Firewalls > TZ Series
- Firewalls > SonicWall SuperMassive E10000 Series
- Firewalls > SonicWall SuperMassive 9000 Series
- Firewalls > SonicWall NSA Series
YES
NO