Ensuring DPI-SSL Functionality and Resolving Slowness

01/07/2025 1 People found this article helpful 514 Views

Description

Why Disable UDP on Ports 443 and 80?

Disabling UDP traffic on ports 443 and 80 ensures that all encrypted web traffic defaults to TCP. TCP traffic can be decrypted, inspected, and properly filtered by DPI-SSL, while UDP-based protocols like QUIC bypass traditional DPI-SSL inspection. This step ensures:

Complete compliance with security policies.
No unscanned traffic bypasses firewall inspection.

Prerequisites

DPI-SSL must be enabled on the SonicWall firewall.
The SonicWall DPI-SSL certificate must be installed on all client devices to avoid SSL errors.

Resolution

1. Check DPI-SSL Exclusion List

Ensure that no Fully Qualified Domain Name (FQDN) objects or common objects are unintentionally added to the DPI-SSL exclusion list. These exclusions can allow traffic to bypass DPI-SSL inspection.

Steps:

Navigate to Manage > DPI-SSL > Client SSL.
Under DPI-SSL Exclusions, review the list of excluded objects.
Remove any FQDN objects or add those FQDN in common names.

2. Review the Connection Failure List

Analyze the connection failure list to determine if the issue is widespread or limited to certain objects.

Steps:

Navigate to Policy > DPI SSL > Common name >>show Connection Failures.
Check for any domains or IPs repeatedly failing DPI-SSL inspection.
Address the root cause of failures, such as invalid certificates or unsupported encryption methods for specific objects.

3. Create Deny Rules for UDP Ports 443 and 80

Blocking UDP traffic on these ports ensures that all encrypted traffic uses TCP, allowing DPI-SSL to properly decrypt and inspect the traffic.

Steps:

Navigate to Rules and Policies > Access Rules.
Select LAN to WAN as the zone pair.
Create a new rule with the following parameters:
- Action: Deny
- Service: UDP 443 and 80
- Source: Any
- Destination: Any
Save and apply the rule.

Reason: This ensures all encrypted web traffic defaults to TCP, which can be decrypted, inspected, and properly filtered by DPI-SSL.

4. Monitor and Flush Excessive DPI-SSL Connections

Check if the DPI-SSL connection count is exceeding, which can lead to slowness for users. Flushing these connections and rebooting the firewall can help resolve performance issues.

Steps:

Navigate to Investigate > Connection Monitor.
Filter connections related to DPI-SSL.
Manually flush connections that appear stuck or excessive.
Reboot the firewall to clear the buffer completely and reset DPI-SSL processes.

Note: Flushing connections and rebooting should only be performed during a maintenance window to minimize user impact.

Additional Notes

Ensure all client devices trust the l DPI-SSL certificate to avoid SSL errors during inspection.
Regularly update firmware to benefit from DPI-SSL improvements and bug fixes.
Monitor user feedback for slowness or accessibility issues and adjust policies as needed.

Not Finding Your Answers?

ASK THE COMMUNITY

Was This Article Helpful?

YES NO

Ensuring DPI-SSL Functionality and Resolving Slowness

Description

Why Disable UDP on Ports 443 and 80?

Prerequisites

Resolution

1. Check DPI-SSL Exclusion List

2. Review the Connection Failure List

3. Create Deny Rules for UDP Ports 443 and 80

4. Monitor and Flush Excessive DPI-SSL Connections

Additional Notes

Related Articles

Categories

Not Finding Your Answers?

Was This Article Helpful?

Article Helpful Form

Article Not Helpful Form

Follow Us

Subscribe to newsletter

Stay In Touch