SonicOS 7.1 Firewall
- SonicOS 7.1
- About SonicOS
- About Firewall
- Advanced
- Flood Protection
- SSL Control
- Cipher Control
- Real-Time Black List (RBL) Filter
- Use cases
Caveats and Advisories
- Self-signed and Untrusted CA enforcement – If enforcing either of these two options, it is strongly advised that you add the common names of any SSL secured network appliances within your organization to the whitelist to ensure that connectivity to these devices is not interrupted. For example, the default subject name of a SonicWall network security appliances is 192.168.168.168 , and the default common name of SonicWall SSL VPN appliances is 192.168.200.1.
- If your organization employs its own private Certificate Authority (CA), it is strongly advised that you import your private CAs certificate into the Device > Settings > Certificates store, particularly if you will be enforcing blocking of certificates issued by untrusted CAs.
- SSL Control inspection is currently only performed on TCP port 443 traffic. SSL negotiations occurring on non-standard ports will not be inspected at this time.
- Server Hello fragmentation – In some rare instances, an SSL server fragments the Server Hello. If this occurs, the current implementation of SSL Control does not decode the Server Hello. SSL Control policies are not applied to the SSL session, and the SSL session is allowed.
- Session termination handling – When SSL Control detects a policy violation and terminates an SSL session, it simply terminates the session at the TCP layer. Because the SSL session is in an embryonic state at this point, it is not currently possible to redirect the client or to provide any kind of informational notification of termination to the client.
-
Whitelist precedence – The whitelist takes precedence over all other SSL Control elements. Any SSL server certificate which matches an entry in the whitelist will allow the SSL session to proceed, even if other elements of the SSL session are in violation of the configured policy. This is by design.
-
The number of pre-installed (well-known) CA certificates is 93. The resulting repository is very similar to what can be found in most Web-browsers. Other certificate related changes:
- The maximum number of CA certificates was raised from 6 to 256.
- The maximum size of an individual certificate was raised from 2,048 to 4,096.
- The maximum number of entries in the whitelist and blacklist is 1,024 each.
Was This Article Helpful?
Help us to improve our support portal