• SonicOSX 7
• Advanced
  • Changing Between SonicOS and SonicOSX
    • Changing From Policy to Classic Mode
    • Changing From Classic to Policy Mode
  • Detection Prevention
  • Dynamic Ports
  • Source Routed Packets
  • Access Rule Options
  • IP and UDP Checksum Enforcement
  • Jumbo Frame
  • Connections
  • Control Plane Flood Protection
  • IPv6 Advanced Configuration
• SSL Control
  • Key Features of SSL Control
  • Key Concepts to SSL Control
  • Caveats and Advisories
  • Configuring SSL Control
  • Custom List
  • Enabling SSL Control on Zones
• Cipher Control
  • TLS Ciphers
    • Blocking/Unblocking Ciphers
    • Filtering Ciphers
      • Selecting Display Options
      • Displaying Ciphers by Strength
      • Displaying Ciphers by Block/Unblock
      • Displaying Ciphers by CBC Mode
      • Displaying Ciphers by TLS Protocol Version
  • SSH Ciphers
• Real-Time Black List (RBL) Filter
  • Configuring the RBL Filter
    • Enabling RBL Blocking
    • Adding RBL Services
    • Configuring User-Defined SMTP Server Lists
      • Configuring a White List
      • Configuring a Black List
    • Testing SMTP IP Addresses

Cipher Control

You can allow or block any or all TLS and SSH ciphers in SonicOSX. This functionality applies to:

• DPI-SSL (TLS traffic inspected by the firewall)
• https MGMT (TLS sessions accessing the firewall)
• SSL Control (inspect TLS traffic passing through the firewall: non DPI-SSL)

Any change to the TLS ciphers apply to all TLS traffic.

The list of ciphers displayed in the Network > Firewall > Cipher Control page are a list of known TLS ciphers. The list of ciphers is a super set of supported ciphers. While this list contains all known ciphers, DPI-SSL and HTTPS MGMT support a much smaller list of ciphers. For example, DPI-SSL and HTTPS MGMT do not yet support TLS 1.3 ciphers or support some weak ciphers that are listed in Network > Firewall > Cipher Control.

The ciphers are ordered based on the security strengths, with ciphers on top more secure than the ones below. Both DPI-SSL and HTTPS MGMT implementations use the relative ordering of their supported ciphers based on Network > Firewall > Cipher Control; that is, for the DPI-SSL supported ciphers, DPI-SSL orders them based on the ciphers listed in Network > Firewall > Cipher Control. The same is true for HTTPS MGMT ciphers.