• SonicOS 7.0
• About DPI-SSL
  • Using DPI-SSL
    • Supported Features
      • Support for Local CRL
      • TLS Certificate Status Request Extension
      • Support for Ciphers
      • DPI-SSL and CFS HTTPS Content Filtering Work Independently
      • Original Port Numbers Retained in Decrypted Packets
    • Security Services
  • Deployment Scenarios
  • Proxy Deployment
  • Customizing DPI-SSL
  • Connections per Appliance Model
• DPI-SSL/TLS Client
  • Deploying the DPI-SSL/TLS Client
    • Configuring General DPI-SSL/TLS Client Settings
      • Enabling DPI-SSL Client on a Zone
    • Selecting the Re-Signing Certificate Authority
      • Adding Trust to the Browser
    • Configuring Exclusions and Inclusions
      • Configuring Exclusions and Inclusions by Objects and Groups
      • Configuring Exclusions and Inclusions by Common Name
        • Viewing Status of DPI-SSL Default Exclusions
        • Rejecting or Accepting Default Common Names
        • Adding Custom Common Names
        • Editing Custom Common Names
        • Deleting Custom Common Names
        • Showing Connection Failures
        • Updating Default Exclusions Manually
      • Configuring Exclusions and Inclusions by CFS Category
  • Applying DPI-SSL/TLS Client
    • Performing Content Filtering using DPI-SSL
    • Filtering Content by App Rules using DPI-SSL
      • Enabling App Control Service on a Zone
  • Viewing DPI-SSL Status
• DPI-SSL/TLS Server
  • Deploying the DPI-SSL/TLS Server
    • Configuring General DPI-SSL/TLS Server Settings
      • Enabling DPI-SSL Server on a Zone
    • Configuring Exclusions and Inclusions
    • Configuring Server-to-Certificate Pairings
• SonicWall Support
  • About This Document

Enabling SSL Client Inspection

To enable SSL Client inspection

1. Navigate to POLICY | DPI-SSL > Client SSL.

2. Click General.

   

3. Select Enable SSL Client Inspection. This option is not selected by default..

4. Select one or more services with which to perform inspection; none are selected by default:

   • Intrusion Prevention
   • Gateway Anti-Virus
   • Gateway Anti-Spyware
   • Application Firewall
   • Content Filter

5. To authenticate servers for decrypted/intercepted connections, select Always authenticate server for decrypted connections. When enabled, DPI-SSL blocks connections:

   • To sites with untrusted certificates.

   • If the domain name in the Client Hello cannot be validated against the Server Certificate for the connection.

This option is not selected by default. When this option is selected, Allow Expired CA becomes available.

Only enable this option if you need a high level of security. Blocked connections show up in the connection failures list, as described in Showing Connection Failures.

If you enable this option, use the Skip CFS Category-based Exclusion option (see Excluding/Including Common Names) to exclude a particular domain or domains from this global authenticate option. This is useful to override any server authentication-related failures of trusted sites.

6. To allow expired or intermediate CAs, select Allow Expired CS. This option is not selected by default. If it is not selected, connections are blocked if the domain name in the Client Hello cannot be validated against the server certificate for the connections.

7. To disable use of the server IP address-based dynamic cache for exclusion, select Deployments wherein the Firewall sees a single server IP for different server domains, ex: Proxy setup. This option is not selected by default.

This option is useful for proxy deployments, where all client browsers redirect to a proxy server, including if appliance is between the client browsers and the proxy server. All DPI-SSL features are supported, including domain exclusions when the domain is part of a virtual hosting server, as part of a server farm fronted with a load balancer, or in some cloud deployments, wherein the same server IP can be used by multiple domains.

In such deployments, all server IPs as seen by the appliance are the proxy server’s IP. It is, therefore, imperative that in proxy deployments, IP-based exclusion cache is disabled. Enabling this option does not affect SonicOS’s capability to perform exclusions.

8. By default, new connections over the DPI-SSL connection limit are bypassed. To allow new connections to bypass decryption instead of being dropped when the connection limit is exceeded, select the Allow SSL without decryption (bypass) when connection limit exceeded checkbox. This option is selected by default.

To ensure new connections over the DPI-SSL connection limit are dropped, deselect/disable this checkbox.

9. To audit new, built-in exclusion domain names before they are added for exclusion, select the Audit new built-in exclusion domain names prior to being added for exclusion checkbox. By default, this checkbox is not enabled.

When this option is enabled, whenever changes to the built-in exclusion list occur, for example, an upgrade to a new firmware image or other system-related actions, a notification pop-up dialog displays over the Decryption Services > DPI-SSL/TLS Client page with the changes. You can inspect/audit the new changes and accept or reject any, some, or all of the new changes to the built-in exclusion list. At this point, the run-time exclusion list is updated to reflect the new changes.

If this option is disabled, SonicOS accepts all new changes to the built-in exclusion list and adds them automatically.

10. To always authenticate a server before applying a common-name or category exclusion policy, select the Always authenticate server before applying exclusion policy checkbox. This option is not selected by default. When enabled, DPI-SSL blocks excluded connections:

    • To sites with untrusted certificates.
    • If the domain name in the Client Hello cannot be validated against the Server Certificate for the connection.

This is a useful feature to authenticate the server connection before applying exclusion policies. Enabling this option ensures that the appliance does not blindly apply exclusion on connections and thereby create a security hole for exclusion sites or sites belonging to excluded categories. This is especially relevant when banking sites, as a category, are excluded.

By validating both the server certificate and the domain name in the Client Hello before applying an exclusion policy, SonicOS can reject untrusted sites and potentially block a type of zero-day attack from taking place. The SonicOS implementation takes the “trust-but-verify” approach to ensure that a domain name that matches the exclusion policy criteria is validated first, thus preventing an unsuspecting client from phishing or URL-redirect-related attacks.

If you are excluding alternate domains in the Subject-Alternate-Name extension, it is recommended that you enable this option.

If you enable this option, use the Skip CFS Category-based Exclusion option (see Excluding/Including Common Names) to exclude a particular domain or domains from this global authenticate option. This is useful to override any server authentication-related failures of trusted sites.

11. Click Accept.