• SonicOS 7.1
• About SonicOS
  • Working with SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions
• About DPI-SSL
  • Using DPI-SSL
    • Supported Features
      • Support for Local CRL
      • TLS Certificate Status Request Extension
      • Support for Ciphers
      • DPI-SSL and CFS HTTPS Content Filtering Work Independently
      • Original Port Numbers Retained in Decrypted Packets
    • Security Services
  • Deployment Scenarios
  • Proxy Deployment
  • Customizing DPI-SSL
  • Connections per Appliance Model
• DPI-SSL/TLS Client
  • Deploying the DPI-SSL/TLS Client
    • Configuring General DPI-SSL/TLS Client Settings
      • Enabling DPI-SSL Client on a Zone
    • Selecting the Re-Signing Certificate Authority
      • Adding Trust to the Browser
    • Configuring Exclusions and Inclusions
      • Configuring Exclusions and Inclusions by Objects and Groups
      • Configuring Exclusions and Inclusions by Common Name
        • Viewing Status of DPI-SSL Default Exclusions
        • Rejecting or Accepting Default Common Names
        • Adding Custom Common Names
        • Editing Custom Common Names
        • Deleting Custom Common Names
        • Showing Connection Failures
        • Updating Default Exclusions Manually
      • Configuring Exclusions and Inclusions by CFS Category
  • Applying DPI-SSL/TLS Client
    • Performing Content Filtering using DPI-SSL
    • Filtering Content by App Rules using DPI-SSL
      • Enabling App Control Service on a Zone
  • Viewing DPI-SSL Status
• DPI-SSL/TLS Server
  • Deploying the DPI-SSL/TLS Server
    • Configuring General DPI-SSL/TLS Server Settings
      • Enabling DPI-SSL Server on a Zone
    • Configuring Exclusions and Inclusions
    • Configuring Server-to-Certificate Pairings
• SonicWall Support
  • About This Document

Supported Features

DPI-SSL supports:

• By the default, DPI-SSL supports only TLS 1.3 and TLS 1.2. If any customer wants to add TLS 1.0 and/or TLS 1.1, they can enable them on diag page. To support TLS 1.1 or TLS 1.0, customer can enable the necessary option and reboot firewall. Make sure that the firewall is rebooted to apply the changes.

  

• SHA-256 – All re-signed server certificates are signed with the SHA-256 hash algorithm.
• Perfect Forward Secrecy (PFS) – Perfect Forward Secrecy-based ciphers and other stronger ciphers are prioritized over weak ciphers in the advertised cipher suite. As a result, the client or server is not expected to negotiate a weak cipher unless the client or server does not support a strong cipher.

DPI-SSL does not support SSL 3.0 which is forbidden, no option to restore it.

DPI-SSL also supports application-level Bandwidth Management over SSL tunnels. App Rules HTTP bandwidth management policies also applies to content that is accessed over HTTPS when DPI-SSL is enabled for App Rules.

DPI-SSL for both client and server can be controlled by Access Rules.

• Support for Local CRL
• TLS Certificate Status Request Extension
• Support for Ciphers
• DPI-SSL and CFS HTTPS Content Filtering Work Independently
• Original Port Numbers Retained in Decrypted Packets