DPI-SSL : DPI-SSL > Client SSL
DPI-SSL > Client SSL
Topics:
Configuring Client DPI-SSL
Configuring Client DPI-SSL
* 
NOTE: For information about DPI SSL, see DPI-SSL Overview .
The Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN. In the Client DPI-SSL scenario, the firewall typically does not own the certificates and private keys for the content it is inspecting. After the appliance performs DPI-SSL inspection, it re-writes the certificate sent by the remote server and signs this newly generated certificate with the certificate specified in the Client DPI-SSL configuration. By default, this is the firewall certificate authority (CA) certificate, or a different certificate can be specified. Users should be instructed to add the certificate to their browser’s trusted list to avoid certificate trust errors.
Topics:
Configuring General Client DPI-SSL Settings
Selecting the Re-Signing Certificate Authority
Configuring Exclusions and Inclusions
Client DPI-SSL Examples
Configuring General Client DPI-SSL Settings
To enable Client DPI-SSL inspection, perform the following steps:
1
Navigate to the General Settings section of the DPI-SSL > Client SSL page.
2
Select the Enable SSL Client Inspection checkbox. By default, this checkbox is not enabled.
3
Select which of the following services with which to perform inspection:
Intrusion Prevention
Gateway Anti-Virus
Gateway Anti-Spyware
Application Firewall
Content Filter.
4
Click Accept.
Selecting the Re-Signing Certificate Authority
The re-signing certificate replaces the original certificate signing authority only if that authority certificate is trusted by the firewall. If the authority is not trusted, then the certificate will be made self-signed. To avoid certificate errors, choose a certificate that is trusted by devices protected by DPI-SSL.
Selecting a re-signing certificate
1
Navigate to the DPI-SSL > Client SSL page.
2
In the Certificate re-signing Authority section, select the certificate to use from the Certificate drop-down menu. By default, DPI-SSL uses the Default SonicWALL DPI-SSL CA certificate to re-sign traffic that has been inspected.
* 
NOTE: If the certificate you want is not listed, you can import it from the System > Certificates page. See Importing Certificates . For PKCS-12-formatted certificates, see Creating PKCS-12 Formatted Certificate File .
3
To download the selected certificate to the firewall, click the (download) link. The Opening filename dialog appears.
a
Ensure the Save File checkbox is selected.
b
Click OK.
The file is downloaded.
4
Click Accept.
Adding Trust to the Browser
For a re-signing certificate authority to successfully re-sign certificates, browsers have to trust the certificate authority. Such trust can be established by having the re-signing certificate imported into the browser's trusted CA list. Follow your browser’s instructions for importing re-signing certificates.
Configuring Exclusions and Inclusions
By default, when DPI-SSL is enabled, it applies to all traffic on the appliance. You can customize to which traffic DPI-SSL inspection applies:
Exclusion/Inclusion lists exclude/include specified objects and groups
Common Name Exclusions excludes specified host names
In deployments that process a large amount of traffic, to reduce the CPU impact of DPI-SSL and to prevent the appliance from reaching the maximum number of concurrent DPI-SSL inspected connections, it can be useful to exclude trusted sources.
To customize DPI-SSL client inspection:
1
Navigate to the Inclusion/Exclusion section of the DPI-SSL > Client SSL page.
2
From the Address Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All.
* 
TIP: The Include drop-down menu can be used to fine tune the specified exclusion list. For example, by selecting the Remote-office-California address object in the Exclude drop-down menu and the Remote-office-Oakland address object in the Include drop-down menu.
3
From the Service Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All.
4
From the User Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All.
5
Use the Common Name Exclusions section to add domain names to the exclusion list
a
Enter a host name in the Suffix field.
b
Click the Add button.
6
Click Accept at the top of the page to confirm the configuration.
Client DPI-SSL Examples
Topics:
Content Filtering
App Rules
Content Filtering
To perform SonicWALL Content Filtering on HTTPS and SSL-based traffic using DPI-SSL:
1
Navigate to General Settings section of the DPI-SSL > Client SSL page.
2
Select the Enable SSL Inspection checkbox.
3
Select the Content Filter checkbox.
4
Click Apply.
5
Navigate to the Content Filter Type section of the Security Services > Content Filter page.
6
Ensure Content Filter Service is selected from the drop-down menu.
7
Click the Configure button. The Filter Properties dialog displays.
8
Clear the Enable HTTPS Content Filtering checkbox.
* 
NOTE: HTTPS content filtering is IP and hostname based. While HTTP content filtering can perform redirects to enforce authentication or provide a block page, HTTPS-filtered pages are siltently blocked.
9
Select the appropriate categories to be blocked. For information about configuring this dialog, see Configuring Content Filtering Service .
10
Click OK.
11
Click Accept.
12
Navigate to a blocked site using the HTTPS protocol to verify that it is properly blocked.
* 
NOTE: For content filtering over DPI-SSL, the first time HTTPS access is blocked result in a blank page being displayed. If the page is refreshed, the user will see the firewall block page.
App Rules
To filter by application firewall rules, you need to enable them on both the DPI-SSL > Client SSL page and the App Rules >Policies page.
1
Navigate to General Settings section of the DPI-SSL > Client SSL page.
2
Select the Enable SSL Client Inspection checkbox.
3
Select the Application Firewall checkbox.
4
Click Apply.
5
Navigate to App Rules Global Settings section of the Firewall > App Rules page.
6
Select the Enable App Rules.
7
Configure an HTTP Client policy to block Microsoft Internet Explorer browser with block page as an action for the policy. For how to configure an App Rule, see Configuring an App Rules Policy .
8
Click Apply.
9
Access any website using the HTTPS protocol with Internet Explorer to verify it is blocked.
DPI-SSL also supports Application Level Bandwidth Management over SSL tunnels. App Rules HTTP bandwidth management policies also applies to content that is accessed over HTTPS when DPI-SSL is enabled for App Rules.