SonicOS 7.0 DPI-SSL

Configuring Exclusions and Inclusions

By the default, when DPI-SSL is enabled, it applies to all traffic on the appliance. You can customize to which traffic DPI-SSL inspection applies:

  • Exclusion/Inclusion lists exclude or include specified objects and groups
  • Common Name exclusions excludes specified host names
  • CFS Category-based Exclusion/Inclusion excludes or includes specified categories based on CFS categories

This customization allows individual exclusion or inclusion of alternate names for a domain that is part of a list of domains supported by the same server (certificate). In deployments that process a large amount of traffic, to reduce the CPU impact of DPI-SSL and to prevent the appliance from reaching the maximum number of concurrent DPI-SSL inspected connections, it can be useful to exclude trusted sources.

If DPI-SSL is enabled on the firewall when using Google Drive, Apple iTunes, or any other application with pinned certificates, the application may fail to connect to the server. To allow the application to connect, exclude the associated domains from DPI-SSL. For example, to allow Google Drive to work, exclude:

  • .google.com
  • .googleapis.com
  • .gstatic.com
  • As Google uses one certificate for all its applications, excluding these domains allows Google applications to bypass DPI-SSL.

    Alternatively, exclude the client machines from DPI-SSL.

    Was This Article Helpful?

    Help us to improve our support portal

    Techdocs Article Helpful form

    • Hidden
    • Hidden

    Techdocs Article NOT Helpful form

    • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
    • Hidden
    • Hidden