Configuring Client DPI-SSL

The Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN. In this scenario, the firewall typically does not own the certificates and private keys for the content it is inspecting. After performing DPI-SSL inspection, the appliance re-writes the certificate sent by the remote server and signs this newly generated certificate with the certificate specified in the Client DPI-SSL configuration. By default, this is the firewall certificate authority (CA) certificate, but a different certificate can be specified. Users should be instructed to add the certificate to their browser’s trusted list to avoid certificate trust errors.

Configuring General Client DPI-SSL Settings

To enable Client DPI-SSL inspection:

Selecting the Re-Signing Certificate Authority

The re-signing certificate replaces the original certificate signing authority only if that authority certificate is trusted by the firewall. If the authority is not trusted, then the certificate is self-signed. To avoid certificate errors, choose a certificate that is trusted by devices protected by DPI-SSL.

NOTE: For information about requesting/creating a DPI SSL Certificate Authority (CA) certificate, see the Knowledge Base article, How to request/create DPI-SSL Certificate Authority (CA) certificates for the purpose of DPI-SSL certificate resigning (SW14090) in the Dell Support Site.

Selecting a Re-Signing Certificate

To select a re-signing certificate

NOTE: If the certificate you want is not listed, you can import it from the System > Certificates page by clicking on the (Manage Certificates) link. See Importing Certificates . For PKCS-12-formatted certificates, see Creating PKCS-12 Formatted Certificate File .

TIP: To view available certificates, click on the (Manage Certificates) link to display the System > Certificates page

The file is downloaded.

Adding Trust to the Browser

For a re-signing certificate authority to successfully re-sign certificates, browsers have to trust the certificate authority. Such trust can be established by having the re-signing certificate imported into the browser's trusted CA list. Follow your browser’s instructions for importing re-signing certificates.

Creating PKCS-12 Formatted Certificate File for Linux

PKCS12 formatted certificate file can be created using Linux system with OpenSSL. To create a PKCS-12 formatted certificate file, you have to have two main components of the certificate:

For example, Apache HTTP server on Linux has its private key and certificate in the following locations:

/etc/httpd/conf/ssl.key/server.key

/etc/httpd/conf/ssl.crt/server.crt

With these two files available, run the following command:

openssl pkcs12 -export -out out.p12 -inkey server.key -in server.crt

In this example, out.p12 becomes the PKCS-12-formatted certificate file, and server.key and server.crt are the PEM-formatted private key and certificate file respectively.

After the above command, you are prompted for the password to protect/encrypted the file. After the password is chosen, the creation of the PKCS-12-formatted certificate file is complete, and it can be imported into the appliance.

Configuring Exclusions and Inclusions

By default, when DPI-SSL is enabled, it applies to all traffic on the appliance. You can customize to which traffic DPI-SSL inspection applies:

This customization allows individual exclusion/inclusion of alternate names for a domain that is part of a list of domains supported by the same server (certificate). In deployments that process a large amount of traffic, to reduce the CPU impact of DPI-SSL and to prevent the appliance from reaching the maximum number of concurrent DPI-SSL inspected connections, it can be useful to exclude trusted sources.

NOTE: If DPI-SSL is enabled on the firewall when using Google Drive, Apple iTunes, or any other application with pinned certificates, the application may fail to connect to the server. To allow the application to connect, exclude the associated domains from DPI-SSL; for example, to allow Google Drive to work, exclude: • .google.com • .googleapis.com • .gstatic.com As Google uses one certificate for all its applications, excluding these domains allows Google applications to bypass DPI-SSL. Alternatively, exclude the client machines from DPI-SSL.

Excluding/Including Objects/Groups

To customize DPI-SSL client inspection:

TIP: The Include drop-down menu can be used to fine tune the specified exclusion list. For example, by selecting the Remote-office-California address object in the Exclude drop-down menu and the Remote-office-Oakland address object in the Include drop-down menu.

Excluding/Including by Common Name

You can add trusted domain names to the exclusion list. Adding trusted domains to the Built-in exclusion database reduces the CPU effect of DPI-SSL and prevents the appliance from reaching the maximum number of concurrent DPI-SSL inspected connections.

Excluding/Including Common Names

To exclude/include entities by common name:

Deleting Custom Common Names

To delete custom common names:

CAUTION: Clicking the Remove All button removes all entries in the Exclusions list. Clicking Accept makes the deletions permanent.

Client DPI-SSL Examples

Content Filtering

To perform SonicWALL Content Filtering on HTTPS and SSL-based traffic using DPI-SSL:

NOTE: HTTPS content filtering is IP and hostname based. While HTTP content filtering can perform redirects to enforce authentication or provide a block page, HTTPS-filtered pages are silently blocked.

NOTE: For content filtering over DPI-SSL, the first time HTTPS access is blocked results in a blank page being displayed. If the page is refreshed, the user sees the firewall block page.

App Rules Filtering

To filter by application firewall rules, you need to enable them on both the DPI-SSL > Client SSL page and the App Rules > Policies page.

To filter by application firewall rules: