SonicOS 7.0 DPI-SSL
- SonicOS 7.0
- About DPI-SSL
- DPI-SSL/TLS Client
- Deploying the DPI-SSL/TLS Client
- Applying DPI-SSL/TLS Client
- Viewing DPI-SSL Status
- DPI-SSL/TLS Server
- SonicWall Support
Configuring General DPI-SSL/TLS Client Settings
From the General Settings, you can set the services to be included with which to perform inspection, authenticate decrypted or intercepted connections, and allow or deny expired CA.
Make sure that DPI-SSL Client is enabled on a zone or zones according to Enabling DPI-SSL Client on a Zone to apply the DPI-SSL settings.
To enable SSL Client inspection
-
Navigate to POLICY | DPI-SSL > Client SSL.
By the default, Client SSL page displays the General tab.
- Enable SSL Client Inspection to enable inspection of the encrypted HTTPS traffic.
-
Enable one or more services with which to perform inspection:
- Intrusion Prevention
- Gateway Anti-Virus
- Gateway Anti-Spyware
- Application Firewall
- Content Filter
-
Set the remaining General Settings.
Always authenticate server for decrypted connections To authenticate servers for decrypted or intercepted connections.
When enabled this option, DPI-SSL blocks connections:
- To sites with untrusted certificates.
- If the domain name in the Client Hello cannot be validated against the Server Certificate for the connection.
Only enable this option if you need a high level of security. Blocked connections show up in the connection failures list, as described in Showing Connection Failures.
Use the Skip CFS Category-based Exclusion option (refer to Adding Custom Common Names) along with this option to exclude a particular domain or domains from this global authenticate option. This is useful to override any server authentication-related failures of trusted sites.
Allow Expired CA To allow expired or intermediate CAs.
Allow Expired CA becomes available only when Always authenticate server for decrypted connections is enabled.
If it is not selected, connections are blocked if the domain name in the Client Hello cannot be validated against the server certificate for the connections.
Deployments wherein the Firewall sees a single server IP for different server domains, ex: Proxy setup To disable use of the server IP address-based dynamic cache for exclusion.
This option is useful for proxy deployments, where all client browsers redirect to a proxy server, including if appliance is between the client browsers and the proxy server. All DPI-SSL features are supported, including domain exclusions when the domain is part of a virtual hosting server, as part of a server farm fronted with a load balancer, or in some cloud deployments, wherein the same server IP can be used by multiple domains.
In such deployments, all server IPs as seen by the appliance are the proxy server’s IP. It is, therefore, imperative that in proxy deployments, IP-based exclusion cache is disabled. Enabling this option does not affect SonicOS’s capability to perform exclusions.
Allow SSL without decryption (bypass) when connection limit exceeded To allow new connections to bypass decryption instead of being dropped when the connection limit is exceeded.
By the default, this option is enabled and new connections over the DPI-SSL connection limit are bypassed.
Disable Allow SSL without decryption (bypass) when connection limit exceeded to ensure new connections over the DPI-SSL connection limit are dropped.
Audit new built-in exclusion domain names prior to being added for exclusion
To audit new, built-in exclusion domain names before they are added for exclusion.
When this option is enabled, whenever changes to the built-in exclusion list occur, for example, an upgrade to a new firmware image or other system-related actions, a notification pop-up dialog displays over the Decryption Services > DPI-SSL/TLS Client page with the changes. You can inspect or audit the new changes and accept or reject any, some, or all of the new changes to the built-in exclusion list. At this point, the run-time exclusion list is updated to reflect the new changes.
If this option is disabled, SonicOS accepts all new changes to the built-in exclusion list and adds them automatically.
Always authenticate server before applying exclusion policy To always authenticate a server before applying a common-name or category exclusion policy.
When enabled, DPI-SSL blocks excluded connections:
- To sites with untrusted certificates.
- If the domain name in the Client Hello cannot be validated against the Server Certificate for the connection.
This is a useful feature to authenticate the server connection before applying exclusion policies. Enabling this option ensures that the appliance does not blindly apply exclusion on connections and thereby create a security hole for exclusion sites or sites belonging to excluded categories. This is especially relevant when banking sites, as a category, are excluded.
By validating both the server certificate and the domain name in the Client Hello before applying an exclusion policy, SonicOS can reject untrusted sites and potentially block a type of zero-day attack from taking place. The SonicOS implementation takes the trust-but-verify approach to ensure that a domain name that matches the exclusion policy criteria is validated first, thus preventing an unsuspecting client from phishing or URL-redirect-related attacks.
If you are excluding alternate domains in the Subject-Alternate-Name extension, it is recommended that you enable this option.
Use the Skip CFS Category-based Exclusion option (refer to Adding Custom Common Names) along with this option to exclude a particular domain or domains from this global authenticate option. This is useful to override any server authentication-related failures of trusted sites.
- Click Accept.
Was This Article Helpful?
Help us to improve our support portal