How to decrypt HTTPS Traffic using DPI-SSL?

08/25/2022 1,325 People found this article helpful 504,316 Views

Description

Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall's Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.

The following security services and features are capable of utilizing DPI-SSL:

Gateway Anti-Virus Gateway
Anti-Spyware
Intrusion Prevention
Content Filtering
Application Firewall
Packet Capture
Packet Mirror

Don't want to read? Watch instead!

Resolution

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.

Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.

A commonly used certificate is the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate. This certificate should be added to the browser to eliminate certificate trust errors. In the case of Chrome and IE, this is a part of the Windows Certificate Store, however for Firefox, this must be added manually.

Login to the SonicWall Management GUI.
Navigate to Policy| Deep Packet Inspection| On the Client SSL page, check Enable SSL Client Inspection. Once DPI-SSL Client Inspection is enabled, SonicWall will seamlessly and transparently decrypt all SSL traffic passing through it. You will be able to apply Security Services on the clear-text portion of the SSL encrypted payload passing through it.
CAUTION: Before enabling SSL Client Inspection to make sure you have imported the client DPI-SSL Certificate in all the computers otherwise the network may be impacted as all HTTPS websites will start showing a Certificate Error.

To avoid certificate trust errors and to enable the re-signing certificate authority to successfully re-sign certificates, browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.

IMPORTING THE CERTIFICATE ON THE COMPUTERS:

On the firewall go to Policy | Deep Packet Inspection | SSL Client Deployment | Certificate page, click on the (download) link to download the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate.

NOTE: It is recommended to use 2048 bit DPI-SSL certificate instead of 1024 bit certificate . As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with sophisticated processing capabilities. The cybersecurity industry is moving to stronger 2048-bit encryption to help preserve Internet security.

For Chrome/Edge/IE:

Double click on the downloaded certificate
Select Install Certificate
Choose whether to install for the current user or the local machine
Select "Place all certificates in the following store"
Browse and select Trusted Root Certification Authoritiestab
ClickFinish. The Certificate Import Wizard will guide you through importing the certificate.

Firefox:

Enter in the URL: about:preferences#privacy
Scroll Down under Certificatesand click View Certificates
Click Import
Select the downloaded certificate
Select "Trust this CA to identify web sites" and "Trust this CA to identify email users"
Click OK

Mac,Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.

A commonly used certificate is the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate . This certificate should be added to the browser to eliminate certificate trust errors. In the case of Chrome and IE, this is a part of the Windows Certificate Store, however for Firefox, this has to be added manually.

Login to the SonicWall Management GUI.
Navigate to Manage | Deep Packet Inspection | SSL Client Deployment.
On the Client SSL page, check Enable SSL Client Inspection. Once DPI-SSL Client Inspection is enabled, SonicWall will seamlessly and transparently decrypt all SSL traffic passing through it. You will be able to apply Security Services on the clear-text portion of the SSL encrypted payload passing through it.
CAUTION: Before enabling SSL Client Inspection make sure you have imported the client DPI-SSL Certificate in all the computers otherwise the network may be impacted as all HTTPS websites will start showing a Certificate Error.

To avoid certificate trust errors and to enable the re-signing certificate authority to successfully re-sign certificates, browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.

IMPORTING THE CERTIFICATE ON THE COMPUTERS:

On the firewall go to Manage | Deep Packet Inspection | SSL Client Deployment | Certificate page, click on the (download) link to download the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate.

NOTE: It is recommended to use 2048 bit DPI-SSL certificate instead of 1024 bit certificate . As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with sophisticated processing capabilities. The cybersecurity industry is moving to stronger 2048-bit encryption to help preserve Internet security

For Chrome/Edge/IE:
1. Double click on the downloaded certificate
2. Select Install Certificate
3. Choose whether to install for the current user or the local machine
4. Select "Place all certificates in the following store"
5. Browse and select Trusted Root Certification Authorities tab
6. Click Finish. The Certificate Import Wizard will guide you through importing the certificate.
Firefox:
1. Enter in the URL: about:preferences#privacy
2. Scroll Down under Certificates and click View Certificates
3. Click Import
4. Select the downloaded certificate
5. Select "Trust this CA to identify web sites" and "Trust this CA to identify email users"
6. Click Ok

Mac, Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

How to Test:

Start a packet capture on the SonicWall. Make sure you have enabled Monitor intermediate SSL decrypted traffic under the Advanced tab of Packet Monitor. Go to https://mail.google.com or any other HTTPS website. Open the capture file. You will be able to see both HTTPS and HTTP traffic as below:

The screen shot below is an example of ESMTP (465) traffic being decrypted.