MSS FW Best Practices: DPI-SSL (Client)
12/11/2024 0 People found this article helpful 9,266 Views
Description
CAUTION: These documents are intended to provide partners with firewall configuration recommendations ONLY. They contain examples and caution should be exercised when making changes to your firewall as unplanned changed could result in downtime based on the complexity of the environment and/or configuration.
MSS Recomended SonicWall Firewall Best Practices Index
Notes/Recommendations
- Exclude devices that don’t have the cert/ get to the internet on the network DPI-SSL is enabled. (Printers, cameras, VoIP Equipment, etc.)
- http://Exclude.update.microsoft.com from DPI-SSL. (Custom domain) No choice but to trust traffic if you want updates.
- Exclude http://youtube.com. Helps lower DPI-SSL connections.
- Proper discovery should be done to ensure the implementation goes as smooth as possible.
- DPI-SSL is a disruptive service as it acks as sort of a “main in the middle” scenario.
- No matter how much prep you do, IT WILL BREAK THINGS. Prepare the customer accordingly.
Resources
1. Discovery and Considerations
Device Exclusions
- The biggest thing the customer will need to provide is a list of IPs that should be excluded from DPI-SSL. These devices access the internet on the subnet where DPI-SSL will be enabled, but do not support certificates. Example devices can be Printers, Camera’s network storage, IP Phones, IoT devices, etc.
Where will DPI-SSL be implemented?
Subnet Level
- The most common place to enable DPI-SSL is at the subnet level.
- This is the most secure method as it ensures that all new devices won’t be able to get to the internet without the DPI-SSL certificate installed.
- This method requires exclusions to be made.
Address Object Group Level
- If you only want to apply DPI-SSL to a specific number of IPs or MACs, you can choose to only apply DPI-SSL to a specified address object group.
- This is less secure as new devices may bypass DPI-SSL if not added to the specified address object group.
- This method does NOT require exclusions.
2. Download the DPI-SSL Certificate
- By default, DPI-SSL will use the firewall’s self-generated certificate.
- If using the default SonicWall DPI-SSL certificate, we recommend selecting and using the 2048-bit certificate.
- If the customer wants to replace the default DPI-SSL CA certificate with a 3rd party certificate, follow this KB: How Can I Create A DPI-SSL Certificate For The Purpose Of DPI-SSL Certificate Resigning?
- Once the correct certificate is selected and applied in the drop-down menu, proceed.
- Click “Download” next to the certificate drop down menu.
- This will download the .cer that needs to be deployed.
3. Deploy the Certificate
4. Configure Exclusions
- With the list of IPs from the customer that need to be excluded you can:
- Create address objects for the IPs and/or MAC addresses that need to be excluded.
- Create an address object group called “DPI-SSL Exclusion Group” that contains those AOs.
5. DPI-SSL Pre-Configuration
- We want to do as much as possible BEFORE enabling DPI-SSL to avoid as many interruptions as possible.
- On the Network/Zones page, ensure that “DPI-SSL Client” is enabled for each zone that contains devices, networks, or devices that will have DPI-SSL applied to:
- Back on the DPI-SSL/TLS Client page, under “General Settings”, ensure the following options are checked:
- Intrusion Prevention
- Gateway Anti-Virus
- Gateway Anti-Spyware
- Application Firewall
- Content Filtering
- On the Objects Page for the “Address Object/Group” Exclude box, select the “DPI-SSL Exclusion Group” that you created earlier.
- For the “Address Object/Group” Include box, select either the interface subnet or address object group depending on what you are applying DPI-SSL to.
- On the “CFS Category-Based Exclusion/Inclusion” tab, select the following categories:
- Online Banking
- Online Brokerage and Trading
- This is done to sensitive financial data is not exposed.
6. Enable DPI-SSL
- On the DPI-SSL/TLS Client page, under “General Settings”, check “Enable SSL Client Inspection” and hit accept.
- You should start to see the counters go up
7. Troubleshooting
- At this point the customer needs to test and ensure that all programs, applications, and website that they use still work.
- To troubleshoot and/or exclude a website that is not working:
- Under the “Common Name” tab click on “Show Connection Failures”
- Here you will see websites that are being affected by DPI-SSL.
- The below messages are nothing to worry about as they are not “stopping” the traffic. If websites with the below Error Messages are not working, exclude them.
- Server reset connection during handshake.
- Server terminate connection during handshake.
- Websites with an error message that contains “Server handshake error-error” are most likely not working. They need to be excluded.
- To Exclude websites from the Connection Failure List
- Select the website and click “exclude.”
- To exclude websites manually:
- Under the “Common Name” tab click on “Add”
- Enter the website(s) and click “Exclude.”
- Wildcard/Sub domains can be added as “. http://domain.com”
Related Articles
Categories
Was This Article Helpful?
YESNO