• SonicOS 7.0
• About DPI-SSL
  • Using DPI-SSL
    • Supported Features
      • Support for Local CRL
      • TLS Certificate Status Request Extension
      • Support for Ciphers
      • DPI-SSL and CFS HTTPS Content Filtering Work Independently
      • Original Port Numbers Retained in Decrypted Packets
    • Security Services
  • Deployment Scenarios
  • Proxy Deployment
  • Customizing DPI-SSL
  • Connections per Appliance Model
• DPI-SSL/TLS Client
  • Deploying the DPI-SSL/TLS Client
    • Configuring General DPI-SSL/TLS Client Settings
      • Enabling DPI-SSL Client on a Zone
    • Selecting the Re-Signing Certificate Authority
      • Adding Trust to the Browser
    • Configuring Exclusions and Inclusions
      • Configuring Exclusions and Inclusions by Objects and Groups
      • Configuring Exclusions and Inclusions by Common Name
        • Viewing Status of DPI-SSL Default Exclusions
        • Rejecting or Accepting Default Common Names
        • Adding Custom Common Names
        • Editing Custom Common Names
        • Deleting Custom Common Names
        • Showing Connection Failures
        • Updating Default Exclusions Manually
      • Configuring Exclusions and Inclusions by CFS Category
  • Applying DPI-SSL/TLS Client
    • Performing Content Filtering using DPI-SSL
    • Filtering Content by App Rules using DPI-SSL
      • Enabling App Control Service on a Zone
  • Viewing DPI-SSL Status
• DPI-SSL/TLS Server
  • Deploying the DPI-SSL/TLS Server
    • Configuring General DPI-SSL/TLS Server Settings
      • Enabling DPI-SSL Server on a Zone
    • Configuring Exclusions and Inclusions
    • Configuring Server-to-Certificate Pairings
• SonicWall Support
  • About This Document

Showing Connection Failures

SonicOS keeps a list of recent DPI-SSL client-related connection failures. This is a powerful feature that:

• Lists DPI-SSL failed connections.
• Allows you to audit the failed connections.
• Provide a mechanism to automatically exclude some failing domains.

The dialog box displays the run-time connection failures. The connection failures could be any of the following reasons:

• Failure to handshake with the Client
• Failure to handshake with the Server
• Failed to validate the domain name in the Client Hello
• Failure to authenticate the server (the server certificate issuer is not trusted)

The failure list is only available at run-time. The number logged for each failure is limited to ensure a single failure type does not overrun the entire buffer.

To use the connection failure list

1. Navigate to the POLICY | DPI-SSL > Client SSL.
2. Click Common Name.

3. Scroll to Common Name: Exclusions/Inclusions.

   

4. Click Show Connection Failures.

   

   Each entry in this lists displays:

   • Client Address
   • Server Address
   • Common Name – The common name of the failed connection’s domain. You can edit this entry inline before adding it to the automatic exclusion list.
   • Error Message – Provides contextual information associated with the connection that enables you to make appropriate choices about excluding this connection.

5. Perform the actions as necessary on the list:

   Add an entry to the exclusion list	Select the entry. Make any edits to the entry. Click Exclude.
   Delete an entry	Select the entry to be deleted and click the Clear icon.
   Delete all entries	Click the Clear All icon.

6. Click Close when finished.