How to block OpenDoor proxy using App Rules and Client DPI-SSL
06/05/2023 337 People found this article helpful 482,139 Views
Description
OpenDoor is a proxy application for Apple iPad, iPhone and iPad. OpenDoor allows users to bypass firewall restrictions and browse the Internet freely. It is a browser based proxy using HTTPS to establish connections.
This article describes how to block OpenDoor using App Rules (Application Firewall) with Client DPI-SSL enabled.
Resolution
Resolution for SonicOS 7.X
This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.
Here's how to block OpenDoor using App Rules:
- Login to the Firewall management,then navigate to Object | Match Objects | Match Object
- Click on Add New Match Object to open the Add/Edit Match Object window.
- Under Object Name, enter a name for this Match Object.
- Under Match Object Type, select Custom Object from the drop-down.
- Set Match Type to Exact Match (default).
- Set Input Representation to Hexadecimal.
- Enter the following hexadecimal values under Content and click on Add after each value:
6170690b637269747465726369736d03636f6d (hex for api.crittercism.com)
6F70656E646F6F72 (hex for opendoor)
637269747465726369736d2e636f6d (hex for crittercism.com)
6f70656e646f6f726170702e636f6d ((hex for opendoorapp.com)
- Click OK to save.
- Navigate to the Policy | Rules and Policy | App rules page and create the following App Rule referencing the above Match Object. Make sure Connection Side and Direction are set to Both.
- On the App control page enable check box Enable App Rules.
Enabling Client DPI-SSL
Note: Before enabling Client DPI-SSL, administrators must be aware that Client DPI-SSL will proxy all outgoing SSL connections. To this end, SonicWall will re-sign the SSL certificates passing to hosts. This in turn will trigger certificate errors in the browsers. To avoid these errors, import the SonicWall DPI-SSL CA certificate as a trusted Root CA into the browser's (or the computer's) certificate store. For more information, see: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group Policy
- Navigate to the Policy | DPI-SSL | Client SSL page.
- Enable check box Enable SSL Client Inspection.
- Enable check box Intrusion Prevention.
- Click on Accept at the top to save the changes.
Resolution for SonicOS 6.5
This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.
Here's how to block OpenDoor using App Rules:
- Login to Firewall management, then navigate to Manage | Object | Match Objects.
- Click on Add New Match Object to open the Add/Edit Match Object window.
- Under Object Name, enter a name for this Match Object.
- Under Match Object Type, select Custom Object from the drop-down.
- Set Match Type to Exact Match (default).
- Set Input Representation to Hexadecimal.
- Enter the following hexadecimal values under Content and click on Add after each value:6170690b637269747465726369736d03636f6d (hex for api.crittercism.com)
6F70656E646F6F72 (hex for opendoor)
637269747465726369736d2e636f6d (hex for crittercism.com)
6f70656e646f6f726170702e636f6d ((hex for opendoorapp.com) - Click OK to save.
9.Navigate to the Manage| Rules | App Rules page and create the following App Rule referencing the above Match Object. Make sure Connection Side and Direction are set to Both.
10.On the App Rules page enable check box Enable App Rules.
Enabling Client DPI-SSL
Note: Before enabling Client DPI-SSL, administrators must be aware that Client DPI-SSL will proxy all outgoing SSL connections. To this end, SonicWall will re-sign the SSL certificates passing to hosts. This in turn will trigger certificate errors in the browsers. To avoid these errors, import the SonicWall DPI-SSL CA certificate as a trusted Root CA into the browser's (or the computer's) certificate store. For more information, see: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group Policy
- Navigate to the DPI-SSL | Client SSL page.
- Enable check box Enable SSL Client Inspection.
- Enable check box Intrusion Prevention.
- Click on Accept at the top to save the changes.
Resolution for SonicOS 6.2 and Below
The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.
Here's how to block OpenDoor using App Rules:
- Go to Firewall | Match Objects.
- Click on Add New Match Object to open the Add/Edit Match Object window.
- Under Object Name, enter a name for this Match Object.
- Under Match Object Type, select Custom Object from the drop-down.
- Set Match Type to Exact Match (default).
- Set Input Representation to Hexadecimal.
- Enter the following hexadecimal values under Content and click on Add after each value:
- 6170690b637269747465726369736d03636f6d (hex for api.crittercism.com)
- 6F70656E646F6F72 (hex for opendoor)
- 637269747465726369736d2e636f6d (hex for crittercism.com)
- 6f70656e646f6f726170702e636f6d ((hex for opendoorapp.com)
- Click OK to save.
- Navigate to the Firewall | App Rules page and create the following App Rule referencing the above Match Object. Make sure Connection Side and Direction are set to Both.
- On the App Rules page enable check box Enable App Rules.
Enabling Client DPI-SSL
Note: Before enabling Client DPI-SSL, administrators must be aware that Client DPI-SSL will proxy all outgoing SSL connections. To this end, SonicWall will re-sign the SSL certificates passing to hosts. This in turn will trigger certificate errors in the browsers. To avoid these errors, import the SonicWall DPI-SSL CA certificate as a trusted Root CA into the browser's (or the computer's) certificate store. For more information, see: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group Policy
- Navigate to the DPI-SSL | Client SSL page.
- Enable check box Enable SSL Client Inspection.
- Enable check box Intrusion Prevention.
- Click on Accept at the top to save the changes.
Testing
Test by accessing a website in the OpenDoor browser.
Related Articles
Categories