SonicOS 7.0 DPI-SSL

DPI-SSL/TLS Client > Deploying the DPI-SSL/TLS Client > Configuring Exclusions and Inclusions > Configuring Exclusions and Inclusions by Common Name > Showing Connection Failures
Table of Contents

Showing Connection Failures

SonicOS keeps a list of recent DPI-SSL client-related connection failures. This is a powerful feature that:

  • Lists DPI-SSL failed connections.
  • Allows you to audit the failed connections.
  • Provide a mechanism to automatically exclude some failing domains.

The dialog box displays the run-time connection failures. The connection failures could be any of the following reasons:

  • Failure to handshake with the Client
  • Failure to handshake with the Server
  • Failed to validate the domain name in the Client Hello
  • Failure to authenticate the server (the server certificate issuer is not trusted)

The failure list is only available at run-time. The number logged for each failure is limited to ensure a single failure type does not overrun the entire buffer.

To use the connection failure list

  1. Navigate to the POLICY | DPI-SSL > Client SSL.
  2. Click Common Name.

  3. Scroll to Common Name: Exclusions/Inclusions.

  4. Click Show Connection Failures.

    Each entry in this lists displays:

    • Client Address
    • Server Address
    • Common Name – The common name of the failed connection’s domain. You can edit this entry inline before adding it to the automatic exclusion list.
    • Error Message – Provides contextual information associated with the connection that enables you to make appropriate choices about excluding this connection.

  5. Perform the actions as necessary on the list:

    Add an entry to the exclusion list
    1. Select the entry.
    2. Make any edits to the entry.
    3. Click Exclude.
    Delete an entry Select the entry to be deleted and click the Clear icon.
    Delete all entries Click the Clear All icon.
  6. Click Close when finished.