• SonicOS 7.1 Rules and Policies
• Overview
  • About SonicOS
  • SonicOS Workflow
  • How to Use the SonicOS Administration Guides
  • Guide Conventions
• Settings
  • Configuring App/Match/Malware
  • Configuring Content Filtering Service (CFS)
    • SonicWall CFS
    • CFS Custom Category
  • Geo-IP
    • Custom List
      • Editing a Custom List Entry
      • Deleting Custom List Entries
    • Using Geo-IP Diagnostics
  • Botnet
    • Configuring Botnet Settings
    • Creating Custom Botnet Lists
    • Viewing Dynamic Botnets Lists
    • Configuring a Dynamic Botnet List Server
    • Using Botnet Diagnostics
  • Decryption (DPI-SSL)
    • Certificate
    • Common Name
    • SSL Servers
  • Decryption (DPI-SSH)
  • Signature Update
• Security Policy
  • User & Country
  • App/URL/Custom Match
• NAT Policy
  • About NAT in SonicOS
  • About NAT Load Balancing
    • Determining the NAT LB Method to Use
    • Caveats
    • How Load Balancing Algorithms are Applied
    • Sticky IP Algorithm Examples
      • Example One - Mapping to a Network
      • Example Two - Mapping to an IP Address Range
  • About NAT64
    • Use of Pref64::/n
  • About FQDN-based NAT
  • About Source MAC Address Override
  • Viewing NAT Policy Entries
    • Changing the Display
    • Filtering the Display
  • Adding or Editing NAT or NAT64 Rule Policies
  • Deleting NAT Policies
  • Creating NAT Rule Policies: Examples
    • Creating a One-to-One NAT Policy for Inbound Traffic
    • Creating a One-to-One NAT Policy for Outbound Traffic
    • Inbound Port Address Translation via One-to-One NAT Policy
    • Inbound Port Address Translation via WAN IP Address
    • Creating a Many-to-One NAT Policy
    • Creating a Many-to-Many NAT Policy
    • Creating a NAT Load Balancing Policy for Two Web Servers
• Routing
  • About Routing
    • About Metrics and Administrative Distance
      • About Metrics
      • About Administrative Distance
    • Route Advertisement
    • ECMP Routing
    • Policy-based Routing
    • Policy-based TOS Routing
    • PBR Metric-based Priority
    • Policy-based Routing and IPv6
    • OSPF and RIP Advanced Routing Services
      • About Routing Services
        • Protocol Type
        • Maximum Hops
        • Split-Horizon
        • Poison Reverse
        • Routing Table Updates
        • Subnet Sizes Supported
        • Autonomous System Topologies
      • OSPF Terms
    • Drop Tunnel Interface
    • App-based Routing
  • Rules and Policies >
    • Configuring
      • Adding Static Routes
      • Probe-Enabled Policy-based Routing Configuration
• Decryption Policy
  • Client-side SSL Rules
  • Server-side SSL Rules
  • SSH Rules
  • Setting up the Decryption Policy Table
    • Managing the Decryption Policy Toolbars
    • Changing the Policy Priority
    • Creating Decryption Policies
      • Adding Decryption Policies
      • Editing Decryption Policies
      • Deleting Decryption Policies
• DoS Policy
  • Setting up the DoS Policy Table
    • Managing the DoS Policy Toolbars
    • Changing the DoS Policy Priority
    • Creating DoS Policies
      • Adding DoS Policies
      • Editing DoS Policies
      • Deleting DoS Policies
• DNS Policy
  • Creating DNS Policies
    • Adding DNS Policies
    • Editing DNS Policies
    • Deleting DNS Policies
  • DNS Doctoring
• Endpoint Policy
• Shadow
• SonicWall Support
  • About This Document

Decryption (DPI-SSL)

The Decryption (DPI-SSL) page provides a list of inspection types available. In the General tab, you can configure settings for:

• SSL Client Inspection
• SSL Server Inspection

The configure the desired inspection type

1. Navigate to POLICY | Rules and Policies > Settings > Decryption (DPI-SSL) | General.

   

   SSL Client Inspection

   These settings function in conjunction with your Decryption Policies. For example, when "Enable SSL Client Inspection" is disabled, then all the Client-side SSL Decryption rules are inactive.

   Enable SSL Client Inspection	Click to enable SSL Client Inspection.
   Always authenticate server for decrypted connections	When enabled for decrypted/intercepted connections, DPI-SSL: Blocks connections to sites with untrusted certificates. Blocks connections when the domain name in the Client Hello cannot be validated against the Server Certificate for this connection.
   Deployments wherein the firewall sees a single server IP for different server domains, such as a Proxy setup	When disabled, use of a server IP address-based dynamic cache is marked for exclusion.
   Allow SSL without decryption (bypass) when connection limit exceeded	When enabled, allows SSL to proceed without decryption (bypass) when exceeding the connection limit. By default, new connections are dropped when the connection exceeds the limit.
   Audit new default exclusion domain names prior to being added for exclusion	Audits new built-in exclusion domain names prior to being added for exclusion.
   Always authenticate server before applying exclusion policy	When enabled for excluded connections, DPI-SSL: Blocks connections to sites with untrusted certificates. Blocks connections when the domain name in the Client Hello cannot be validated against the Server Certificate for this connection.

   SSL Server Inspection

   These settings function in conjunction with your Decryption Policies. For example, when "Enable SSL Server Inspection" is disabled, then all the server-side SSL Inspection rules are inactive.

   Enable SSL Server Inspection

   Click to enable SSL Server Inspection.

2. Click Accept.