Policy Configuration : DPI-SSL Overview
Configuring the Inclusion/Exclusion List
By default, the DPI-SSL applies to all traffic on the appliance when it is enabled. You can configure an Inclusion/Exclusion list to customize to which traffic DPI-SSL inspection applies. The Inclusion/Exclusion list provides the ability to specify certain objects, groups, or hostnames. In deployments that are processing a large amount of traffic, it can be useful to exclude trusted sources in order to reduce the CPU impact of DPI-SSL and to prevent the appliance from reaching the maximum number of concurrent DPI-SSL inspected connections.
The Inclusion/Exclusion section of the Client SSL page contains three options for specifying the inclusion list:
On the Address Object/Group line, select an address object or group from the Exclude pull-down menu to exempt it from DPI-SSL inspection.
On the Service Object/Group line, select a service object or group from the Exclude pull-down menu to exempt it from DPI-SSL inspection.
On the User Object/Group line, select a user object or group from the Exclude pull-down menu to exempt it from DPI-SSL inspection.
* 
TIP: The Include pull-down menu can be used to fine tune the specified exclusion list. For example, by selecting the Remote-office-California address object in the Exclude pull-down and the Remote-office-Oakland address object in the Include pull-down.
The Common Name Exclusions section is used to add domain names to the exclusion list. To add a domain name, type it in the text box and click Add.
Click Update to confirm the configuration.
Adding Trust to the Browser
In the previous section we described how to configure a re-signing certificate authority. In order for re-signing certificate authority to successfully re-sign certificates browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.
Internet Explorer: Go to Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard guides you through importing the certificate.
Firefox: Go to Tools > Options, click the Advanced tab and then the Encryption tab. Click View Certificates, select the Authorities tab, and click Import. Select the certificate file, make sure Trust this CA to identify websites is selected, and click OK.
Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.
Creating PKCS-12 Formatted Certificate File
PKCS12 formatted certificate file can be created using Linux system with OpenSSL. In order to create a PKCS-12 formatted certificate file, you need to have two main components of the certificate:
A private key (typically a file with a .key extension or the word key in the filename)
A certificate with a public key (typically a file with a .crt extension or the word cert as part of filename).
For example, the Apache HTTP server on Linux has its private key and certificate in the following locations:
/etc/httpd/conf/ssl.key/server.key
/etc/httpd/conf/ssl.crt/server.crt
With these two files available, run the following command:
openssl pkcs12 -export -out out.p12 -inkey server.key -in server.crt
In this example, out.p12 becomes the PKCS-12 formatted certificate file and server.key and server.crt are the PEM formatted private key and certificate file respectively.
After running the previous command, you are prompted for the password to protect/encrypt the file. After the password is chosen, the creation of the PKCS-12 formatted certificate file is complete and it can be imported into the SonicWALL firewall appliance.