How to decrypt HTTPS Traffic using DPI-SSL?

Description

Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall's Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.

The following security services and features are capable of utilizing DPI-SSL:

  • Gateway Anti-Virus Gateway
  • Anti-Spyware
  • Intrusion Prevention
  • Content Filtering
  • Application Firewall
  • Packet Capture
  • Packet Mirror

Don't want to read? Watch instead!

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.

A commonly used certificate is the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate. This certificate should be added to the browser to eliminate certificate trust errors. In the case of Chrome and IE, this is a part of the Windows Certificate Store, however for Firefox, this must be added manually.

  • Login to the SonicWall Management GUI.
  • Navigate to Policy| Deep Packet Inspection| On the Client SSL page, check Enable SSL Client Inspection. Once DPI-SSL Client Inspection is enabled, SonicWall will seamlessly and transparently decrypt all SSL traffic passing through it. You will be able to apply Security Services on the clear-text portion of the SSL encrypted payload passing through it.
    CAUTION:  Before enabling SSL Client Inspection to make sure you have imported the client DPI-SSL Certificate in all the computers otherwise the network may be impacted as all HTTPS websites will start showing a Certificate Error.
    Image 

To avoid certificate trust errors and to enable the re-signing certificate authority to successfully re-sign certificates, browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.

  • IMPORTING THE CERTIFICATE ON THE COMPUTERS:

 On the firewall go to Policy | Deep Packet Inspection | SSL Client Deployment | Certificate page, click on the (download) link to download the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate.

  Image

NOTE: It is recommended to use 2048 bit DPI-SSL certificate instead of 1024 bit certificate . As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with sophisticated processing capabilities. The cybersecurity industry is moving to stronger 2048-bit encryption to help preserve Internet security.

For Chrome/Edge/IE: 

  1. Double click on the downloaded certificate
  2. Select Install Certificate
  3. Choose whether to install for the current user or the local machine
  4. Select "Place all certificates in the following store"
  5. Browse and select Trusted Root Certification Authoritiestab
  6. ClickFinish. The Certificate Import Wizard will guide you through importing the certificate.

          Image

   

Firefox:

  1. Enter in the URL: about:preferences#privacy
  2. Scroll Down under Certificatesand click View Certificates
  3. Click Import
  4. Select the downloaded certificate
  5. Select "Trust this CA to identify web sites" and "Trust this CA to identify email users"
  6. Click OK

             Image

       

Mac,Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

 

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.

A commonly used certificate is the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate . This certificate should be added to the browser to eliminate certificate trust errors. In the case of Chrome and IE, this is a part of the Windows Certificate Store, however for Firefox, this has to be added manually.

  • Login to the SonicWall Management GUI.
  • Navigate to Manage | Deep Packet Inspection | SSL Client Deployment.
  • On the Client SSL page, check Enable SSL Client Inspection. Once DPI-SSL Client Inspection is enabled, SonicWall will seamlessly and transparently decrypt all SSL traffic passing through it. You will be able to apply Security Services on the clear-text portion of the SSL encrypted payload passing through it.
    CAUTION: Before enabling SSL Client Inspection make sure you have imported the client DPI-SSL Certificate in all the computers otherwise the network may be impacted as all HTTPS websites will start showing a Certificate Error.
     
    Image
    To avoid certificate trust errors and to enable the re-signing certificate authority to successfully re-sign certificates, browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.

IMPORTING THE CERTIFICATE ON THE COMPUTERS:

  • On the firewall go to Manage | Deep Packet Inspection | SSL Client DeploymentCertificate page, click on the (download) link to download the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate.
    Image

NOTE: It is recommended to use 2048 bit DPI-SSL certificate instead of 1024 bit certificate . As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with sophisticated processing capabilities. The cybersecurity industry is moving to stronger 2048-bit encryption to help preserve Internet security

  • For Chrome/Edge/IE: 
    1. Double click on the downloaded certificate
    2. Select Install Certificate
    3. Choose whether to install for the current user or the local machine
    4. Select "Place all certificates in the following store"
    5. Browse and select Trusted Root Certification Authorities tab
    6. Click Finish. The Certificate Import Wizard will guide you through importing the certificate.
  • ImageImage
  • Firefox:
    1. Enter in the URL: about:preferences#privacy
    2. Scroll Down under Certificates and click View Certificates
    3. Click Import
    4. Select the downloaded certificate
    5. Select "Trust this CA to identify web sites" and "Trust this CA to identify email users"
    6. Click Ok

      ImageImage
  • Mac, Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

How to Test:

Start a packet capture on the SonicWall. Make sure you have enabled Monitor intermediate SSL decrypted traffic under the Advanced tab of Packet Monitor. Go to https://mail.google.com or any other HTTPS website. Open the capture file. You will be able to see both HTTPS and HTTP traffic as below:
Image
The screen shot below is an example of ESMTP (465) traffic being decrypted.

Image

Related Articles

  • SonicWall UTM throws an error : " Invalid Authentication " Error: SN and EPAID Do Not Match
    Read More
  • Firewall logs show frequent probe status changes after upgrade
    Read More
  • SSO Agent 4.0: Installation, Configurations, and troubleshooting
    Read More

Categories

Firewalls
TZ Series
DPI-SSL
Firewalls
SonicWall NSA Series
DPI-SSL
Firewalls
NSa Series
Client/Server DPI-SSL
Firewalls
NSv Series
Client/Server DPI-SSL
not finding your answers?
Ask the Community
was this article helpful?
YesNo