• SonicOS 7.0
• About DPI-SSL
  • Using DPI-SSL
    • Supported Features
      • Support for Local CRL
      • TLS Certificate Status Request Extension
      • Support for Ciphers
      • DPI-SSL and CFS HTTPS Content Filtering Work Independently
      • Original Port Numbers Retained in Decrypted Packets
    • Security Services
  • Deployment Scenarios
  • Proxy Deployment
  • Customizing DPI-SSL
  • Connections per Appliance Model
• DPI-SSL/TLS Client
  • Deploying the DPI-SSL/TLS Client
    • Configuring General DPI-SSL/TLS Client Settings
      • Enabling DPI-SSL Client on a Zone
    • Selecting the Re-Signing Certificate Authority
      • Adding Trust to the Browser
    • Configuring Exclusions and Inclusions
      • Configuring Exclusions and Inclusions by Objects and Groups
      • Configuring Exclusions and Inclusions by Common Name
        • Viewing Status of DPI-SSL Default Exclusions
        • Rejecting or Accepting Default Common Names
        • Adding Custom Common Names
        • Editing Custom Common Names
        • Deleting Custom Common Names
        • Showing Connection Failures
        • Updating Default Exclusions Manually
      • Configuring Exclusions and Inclusions by CFS Category
  • Applying DPI-SSL/TLS Client
    • Performing Content Filtering using DPI-SSL
    • Filtering Content by App Rules using DPI-SSL
      • Enabling App Control Service on a Zone
  • Viewing DPI-SSL Status
• DPI-SSL/TLS Server
  • Deploying the DPI-SSL/TLS Server
    • Configuring General DPI-SSL/TLS Server Settings
      • Enabling DPI-SSL Server on a Zone
    • Configuring Exclusions and Inclusions
    • Configuring Server-to-Certificate Pairings
• SonicWall Support
  • About This Document

Supported Features

Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall’s Deep Packet Inspection technology to the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted (intercepted) transparently, scanned for threats, and then re-encrypted and, if no threats or vulnerabilities are found, sent along to its destination.

DPI-SSL provides additional security, application control, and data-leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic. DPI-SSL supports:

• Transport Layer Security (TLS) Handshake Protocol 1.2 and earlier versions – The TLS 1.2 communication protocol is supported during SSL inspection/decryption between the firewall and the server in DPI-SSL deployments (previously, TLS 1.2 was only supported between client and firewall). SonicOS also supports TLS 1.2 in other areas as well.
• SHA-256 – All re-signed server certificates are signed with the SHA-256 hash algorithm.
• Perfect Forward Secrecy (PFS) – Perfect Forward Secrecy-based ciphers and other stronger ciphers are prioritized over weak ciphers in the advertised cipher suite. As a result, the client or server is not expected to negotiate a weak cipher unless the client or server does not support a strong cipher.

DPI-SSL also supports application-level Bandwidth Management over SSL tunnels. App Rules HTTP bandwidth management policies also applies to content that is accessed over HTTPS when DPI-SSL is enabled for App Rules.

DPI-SSL for both client and server can be controlled by Access Rules.

• Support for Local CRL
• TLS Certificate Status Request Extension
• Blocking of SSH X11 Forwarding
• Support for ECDSA-Related Cipher
• DPI-SSL and CFS HTTPS Content Filtering Work Independentlyt
• Original Port Numbers Retained in Decrypted Packets