en-US
search-icon

Knowledge Base

How to Configure Client DPI-SSL

Description

Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall's Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.

The following security services and features are capable of utilizing DPI-SSL:
Gateway Anti-Virus
Gateway Anti-Spyware
Intrusion Prevention
Content Filtering
Application Firewall
Packet Capture
Packet Mirror

Don't want to read? Watch instead!

Resolution

Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.


A commonly used certificate is the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate . This certificate should be added to the browser to eliminate certificate trust errors. In the case of Chrome and IE, this is a part of the Windows Certificate Store, however for Firefox, this has to be added manually.

  • Login to the SonicWall Management GUI
  • Navigate to Manage | Deep Packet Inspection | SSL Client Deployment
  • On the Client SSL page, check Enable SSL Client Inspection.

Once DPI-SSL Client Inspection is enabled, SonicWall will seamlessly and transparently decrypt all SSL traffic passing through it. You will be able to apply Security Services on the clear-text portion of the SSL encrypted payload passing through it.

Image


To avoid certificate trust errors and to enable the re-signing certificate authority to successfully re-sign certificates, browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.

In the Manage | Deep Packet Inspection | SSL Client DeploymentCertificate page, click on the (download) link to download the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate.

Image

 

Note : It is recommended to use 2048 bit DPI-SSL certificate instead of 1024 bit certificate .

As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with sophisticated processing capabilities. The cybersecurity industry is moving to stronger 2048-bit encryption to help preserve internet security

 

  • Internet Explorer: Go to Tools | Internet Options, click the Content tab and click Certificates.
    Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import
    Wizard will guide you through importing the certificate.
Image Image
Image Image
  • Firefox: Go to Tools | Options, click the Advanced tab and then the Encryption tab. Click View
    Certificates, select the Authorities tab, and click Import. Select the certificate file, make sure the
    Trust this CA to identify websites check box is selected, and click OK.

     
    Image Image
    Image Image
  • Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

How to Test:

Start a packet capture on the SonicWall. Make sure you have enabled Monitor intermediate SSL decrypted traffic under the Advancd tab of Packet Monitor. Go to https://mail.google.com or any other HTTPS website. Open the capture file. You will be able to see both HTTPS and HTTP traffic as below:

 

Image

The screen shot below is an example of ESMTP (465) traffic being decrypted:

Image


 See Also: