en-US
search-icon

SonicOS 6.2 Admin Guide

DPI-SSL

About DPI-SSL

About DPI-SSL

* 
NOTE: DPI-SSL is a separate, licensed feature that provides inspection of encrypted HTTPS traffic and other SSL-based IPv4 and IPv6 traffic.
Topics:  

Functionality

Topics:  

Supported Features

Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall’s Deep Packet Inspection technology to the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted (intercepted) transparently, scanned for threats, and then re-encrypted and, if no threats or vulnerabilities are found, sent along to its destination.

DPI-SSL provides additional security, application control, and data-leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic. DPI-SSL supports:

Transport Layer Security (TLS) Handshake Protocol 1.2 and earlier versions – Starting with SonicOS 6.2.5.1, the TLS 1.2 communication protocol is supported during SSL inspection/decryption between the firewall and the server in DPI-SSL deployments (previously, TLS 1.2 was only supported between client and firewall). SonicOS also supports TLS 1.2 in other areas as well.
SHA-256 – Starting with SonicOS 6.2.5.1, all re-signed server certificates are signed with the SHA-256 hash algorithm.
Perfect Forward Secrecy (PFS) – Perfect Forward Secrecy-based ciphers and other stronger ciphers are prioritized over weak ciphers in the advertised cipher suite. As a result, the client or server is not expected to negotiate a weak cipher unless the client or server does not support a strong cipher.

DPI-SSL also supports application-level Bandwidth Management over SSL tunnels. App Rules HTTP bandwidth management policies also applies to content that is accessed over HTTPS when DPI-SSL is enabled for App Rules.

Security Services

The following security services and features can use DPI-SSL:

Gateway Anti-Virus
Gateway Anti-Spyware
Intrusion Prevention
Content Filtering
Application Firewall

Deployment Scenarios

DPI-SSL has two main deployment scenarios:

Client DPI-SSL: Used to inspect HTTPS traffic when clients on the appliance’s LAN access content located on the WAN. Exclusions to DPI-SSL can be made on a common-name or category basis.
Server DPI-SSL: Used to inspect HTTPS traffic when remote clients connect over the WAN to access content located on the appliance’s LAN.

Proxy Deployment

DPI-SSL supports proxy deployment, where all client browsers are configured to redirect to a proxy server, but an appliance sits between the client browsers and the proxy server. All DPI-SSL features are supported in this scenario, including supporting domain exclusions when the domain is part of a virtual hosting server, or in some cloud deployments, wherein the same server IP can be used by multiple domains.

Additionally, typical data center server farms are fronted with a load balancer and/or reverse SSL Proxy to offload SSL processing on the servers. For a load balancer fronting the servers and doing decryption, the appliance usually only sees the IP of the load balancer, and the load balancer decrypts the content and determines the specific server to assign this connection to. DPI-SSL now has a global policy option to disable an IP-based exclusion cache. The exclusions continues to work even if the IP-based exclusion cache is off.

Customizing DPI-SSL

* 
IMPORTANT: Add the NetExtender SSL VPN gateway to the DPI SSL IP-address exclusion list. As NetExtender traffic is PPP-encapsulated, having SSL VPN decrypt such traffic does not produce meaningful results.

In general, the policy of DPI-SSL is to secure any and all traffic that flows through the appliance. This may or may not meet your security needs, so DPI-SSL allows you to customize what is processed.

DPI-SSL comes with a list (database) of built-in (default) domains excluded from DPI processing. You can add to this list at any time, remove any entries you’ve added, and/or toggle built-in entries between exclusion from and inclusion in DPI processing. DPI-SSL also allows you to exclude or include domains by common name or category (for example, banking or health care).

Excluded sites, whether by common name or category, however, can become a security risk that can be exploited in the future by exploit kits that circumvent the appliance and are downloaded to client machines or by a man-in-the-middle hijacker presenting a fake server site/certificate to an unsuspecting client. To prevent such risks, DPI-SSL allows excluded sites to be authenticated before exclusion.

As the percentage of HTTPS connections increase in your network and new https sites appear, it is improbable for even the latest SonicOS version to contain a complete list of built-in/default exclusions. Some HTTPS connections fail when DPI-SSL interception occurs due to the inherent implementation of a new client app or the server implementation, and these sites may need to be excluded on the appliance to provide a seamless user experience. SonicOS keeps a log of these failed connections that you can troubleshoot and use to add any trusted entries to the exclusion list.

In addition to excluding/including sites, DPI-SSL provides both global authentication policy and a granular exception policy to the global one. For example, with a global policy to authenticate connection, some connections may be blocked that are in essence safe, such as new trusted CA certificates or a a self-signed server certificate of a private (or local-to-enterprise deployment) secure cloud solution. The granular option allows you to exclude individual domains from the global authentication policy.

You can configure exclusions for a domain that is part of a list of domains supported by the same server (certificate). That is, some server certificates contain multiple domain names, but you want to exclude just one of these domains without having to exclude all of the domains served by a single server certificate. For example, you can exclude youtube.com without having to exclude any other domain, such as google.com, even though *.google.com is the common name of the server certificate that has youtube.com listed as an alternate domain under Subject Alternate-Name extension.

Connections per Appliance Model

Maximum concurrent connections per platform supported by Client DPI-SSL shows each platform and the maximum number of concurrent connections on which the appliance can perform Client DPI-SSL inspection.

Maximum concurrent connections per platform supported by Client DPI-SSL

Hardware Model

Max Concurrent DPI-SSL Connections

Hardware Model

Max Concurrent DPI-SSL Connections

Hardware Model

Max Concurrent DPI-SSL Connections

SM 9800

48,000

NSA 6600

6,000

TZ600

750

SM 9600

12,000

NSA 5600

4,000

TZ500

750

SM 9400

10,000

NSA 4600

3,000

TZ500W

750

SM 9200

8,000

NSA 3600

2,000

TZ400

500

 

 

NSA 2600

1,000

TZ400W

500

 

 

 

 

TZ300

500

 

 

SOHO W

100

TZ300W

500

* 
NOTE: For SuperMassive 9200, 6400, and 9600 and NSA Series firewalls with more that 250,000 DPI settings and dynamic connection sizing configured, the firewall can increase the DPI-SSL connection count dynamically. For more information, see Dynamic Connection Sizing.

 

Configuring Client DPI-SSL Settings

DPI-SSL > Client SSL

Topics:  

Viewing DPI-SSL Status

The DPI-SSL Status section displays the current DPI-SSL connections, peak connections, and maximum connections.

Configuring Client DPI-SSL

The Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN. In this scenario, the firewall typically does not own the certificates and private keys for the content it is inspecting. After performing DPI-SSL inspection, the appliance re-writes the certificate sent by the remote server and signs this newly generated certificate with the certificate specified in the Client DPI-SSL configuration. By default, this is the firewall certificate authority (CA) certificate, but a different certificate can be specified. Users should be instructed to add the certificate to their browser’s trusted list to avoid certificate trust errors.

Topics:  

Configuring General Settings

To enable Client DPI-SSL inspection:
1
Go to the General tab of the DPI-SSL > Client SSL page.

2
Select the Enable SSL Client Inspection checkbox. By default, this checkbox is not enabled.
3
Select one or more of the following services with which to perform inspection; none are selected by default:
Intrusion Prevention
Gateway Anti-Virus
Gateway Anti-Spyware
Application Firewall
Content Filter
4
To authenticate servers for decrypted/intercepted connections, select the Always authenticate server for decrypted connections checkbox. When enabled, DPI-SSL blocks connections:
To sites with untrusted certificates.
If the domain name in the Client Hello cannot be validated against the Server Certificate for the connection.

By default, this checkbox is not enabled.

* 
IMPORTANT: Only enable this option if you need a high level of security. Blocked connections show up in the connection failures list, as described in Showing Connection Failures.
* 
TIP: If you enable this option, use the Skip CFS Category-based Exclusion option (see Excluding/Including Common Names) to exclude a particular domain or domains from this global authenticate option. This is useful to override any server authentication-related failures of trusted sites.
5
To disable use of the server IP address-based dynamic cache for exclusion, select the Deployments wherein the Firewall sees a single server IP for different server domains, ex: Proxy setup checkbox. By default, this checkbox is not enabled.

This option is useful for proxy deployments, where all client browsers redirect to a proxy server, including if appliance is between the client browsers and the proxy server. All DPI-SSL features are supported, including domain exclusions when the domain is part of a virtual hosting server, as part of a server farm fronted with a load balancer, or in some cloud deployments, wherein the same server IP can be used by multiple domains.

In such deployments, all server IPs as seen by the appliance are the proxy server’s IP. It is, therefore, imperative that in proxy deployments, IP-based exclusion cache is disabled. Enabling this option does not affect SonicOS’s capability to perform exclusions.

6
By default, new connections over the DPI-SSL connection limit are bypassed. To allow new connections to bypass decryption instead of being dropped when the connection limit is exceeded, select the Allow SSL without decryption (bypass) when connection limit exceeded checkbox. This option is selected by default.

To ensure new connections over the DPI-SSL connection limit are dropped, deselect/disable this checkbox.

7
To audit new, built-in exclusion domain names before they are added for exclusion, select the Audit new built-in exclusion domain names prior to being added for exclusion checkbox. By default, this checkbox is not enabled.

When this option is enabled, whenever changes to the built-in exclusion list occur, for example, an upgrade to a new firmware image or other system-related actions, a notification pop-up dialog displays over the DPI-SSL > Client SSL with the changes. You can inspect/audit the new changes and accept or reject any, some, or all of the new changes to the built-in exclusion list. At this point, the run-time exclusion list is updated to reflect the new changes.

If this option is disabled, SonicOS accepts all new changes to the built-in exclusion list and adds them automatically.

8
To always authenticate a server before applying a common-name or category exclusion policy, select the Always authenticate server before applying exclusion policy checkbox. When enabled, DPI-SSL blocks excluded connections:
To sites with untrusted certificates.
If the domain name in the Client Hello cannot be validated against the Server Certificate for the connection.

This is a useful feature to authenticate the server connection before applying exclusion policies. Enabling this option ensures that the appliance does not blindly apply exclusion on connections and thereby create a security hole for exclusion sites or sites belonging to excluded categories. This is especially relevant when banking sites, as a category, are excluded.

By validating both the server certificate and the domain name in the Client Hello before applying an exclusion policy, SonicOS can reject untrusted sites and potentially block a type of zero-day attack from taking place. The SonicOS implementation takes the “trust-but-verify” approach to ensure that a domain name that matches the exclusion policy criteria is validated first, thus preventing an unsuspecting client from phishing or URL-redirect-related attacks.

By default, this checkbox is not enabled.

* 
IMPORTANT: If you are excluding alternate domains in the Subject-Alternate-Name extension, it is recommended that you enable this option.
* 
TIP: If you enable this option, use the Skip CFS Category-based Exclusion option (see Excluding/Including Common Names) to exclude a particular domain or domains from this global authenticate option. This is useful to override any server authentication-related failures of trusted sites.
9
Click Accept.

Selecting the Re-Signing Certificate Authority

The re-signing certificate replaces the original certificate signing authority only if that authority certificate is trusted by the firewall. If the authority is not trusted, then the certificate is self-signed. To avoid certificate errors, choose a certificate that is trusted by devices protected by DPI-SSL.

* 
NOTE: For information about requesting/creating a DPI SSL Certificate Authority (CA) certificate, see the Knowledge Base article, How to request/create DPI-SSL Certificate Authority (CA) certificates for the purpose of DPI-SSL certificate resigning (SW14090).
To select a re-signing certificate
1
Navigate to the DPI-SSL > Client SSL page.
2
Click the Certificate tab.

3
Select the certificate to use from the Certificate drop-down menu. By default, DPI-SSL uses the Default SonicWall DPI-SSL CA certificate to re-sign traffic that has been inspected.
* 
NOTE: If the certificate you want is not listed, you can import it from the System > Certificates page. See Importing Certificates.

For PKCS-12-formatted certificates, see Creating PKCS-12 Formatted Certificate File.

4
To download the selected certificate to the firewall, click the (download) link. The Opening filename dialog appears.
* 
TIP: To view available certificates, click on the (Manage Certificates) link to display the System > Certificates page

a
Ensure the Save File radio button is selected.
b
Click OK.

The file is downloaded.

5
Click Accept.
Adding Trust to the Browser

For a re-signing certificate authority to successfully re-sign certificates, browsers have to trust the certificate authority. Such trust can be established by having the re-signing certificate imported into the browser's trusted CA list. Follow your browser’s instructions for importing re-signing certificates.

Configuring Exclusions and Inclusions

By default, when DPI-SSL is enabled, it applies to all traffic on the appliance. You can customize to which traffic DPI-SSL inspection applies:

Exclusion/Inclusion lists exclude/include specified objects and groups
Common Name exclusions excludes specified host names
CFS Category-based Exclusion/Inclusion excludes or includes specified categories based on CFS categories

This customization allows individual exclusion/inclusion of alternate names for a domain that is part of a list of domains supported by the same server (certificate). In deployments that process a large amount of traffic, to reduce the CPU impact of DPI-SSL and to prevent the appliance from reaching the maximum number of concurrent DPI-SSL inspected connections, it can be useful to exclude trusted sources.

* 
NOTE: If DPI-SSL is enabled on the firewall when using Google Drive, Apple iTunes, or any other application with pinned certificates, the application may fail to connect to the server. To allow the application to connect, exclude the associated domains from DPI-SSL; for example, to allow Google Drive to work, exclude:
.google.com
.googleapis.com
.gstatic.com

As Google uses one certificate for all its applications, excluding these domains allows Google applications to bypass DPI-SSL.

Alternatively, exclude the client machines from DPI-SSL.

Topics:  
Excluding/Including Objects/Groups
To customize DPI-SSL client inspection:
1
Click the Objects tab of the DPI-SSL > Client SSL page.

2
From the Address Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All.
* 
TIP: The Include drop-down menu can be used to fine tune the specified exclusion list. For example, by selecting the Remote-office-California address object in the Exclude drop-down menu and the Remote-office-Oakland address object in the Include drop-down menu.
3
From the Service Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All.
4
From the User Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All.
5
Click Accept.
Excluding/Including by Common Name

You can add trusted domain names to the exclusion list. Adding trusted domains to the Built-in exclusion database reduces the CPU effect of DPI-SSL and prevents he appliance from reaching the maximum number of concurrent DPI-SSL inspected connections.

Topics:  
Excluding/Including Common Names
To exclude/include entities by common name:
1
Click on the Common Name tab.

2
You can control the display of the common names by selecting the following options:
View Style options:
All (default) – Displays all common names.
Built-in – Displays only non-custom common names.
Custom – Displays only common names you’ve added.
Action options:
All (default) – Displays both excluded and CFS Category-exclusion overrides.
Exclude – Displays only excluded common names.
Skip CFS Category-based Exclusion – Displays only custom common names that have the override CFS category-based exclusion option selected.
* 
NOTE: Use the Skip CFS Category-based Exclusion option to exclude a particular domain from the global inclusion options, Always authenticate server for decrypted connections and Always authenticate server before applying exclusion policy.
3
By default, all Built-in common names are approved. You can reject the approval of a Built-in common name by:
a
Clicking on the Reject icon in the Configure column for the common name. A confirmation message displays.

b
Click OK.

The Reject icon becomes an Accept icon, and Approved in the Built-in column become Rejected.

* 
NOTE: Built-in common names cannot be modified or deleted, but you can reject or accept them.

To accept a rejected Built-in common name:

a
Click its Accept icon. A confirmation message displays.

b
Click OK.
4
To add a custom common name, click the Add button below the Common Name Exclusions/Inclusions table. The Add Common Names dialog displays.

a
Add one or more common names in the field. Separate multiple entries with commas or newline characters.
b
Specify the type of Action:
Exclude (default)
Override CFS Category-based Exclusion
Skip authenticating the server to opt out of authenticating the server for this domain if doing so results in the connection being blocked. Enable this option only if the server is a trusted domain.
c
DPI-SSL dynamically determines if a connection should be intercepted (included) or excluded, based on policy or configuration. When DPI-SSL extracts the domain name for the connection, exclusion information is readily available for subsequent connections to the same server/domain.

To disable use of dynamic exclusion cache (both server IP and common-name based), select the Always authenticate server before applying exclusion policy checkbox. This option is not selected by default.

d
Click Apply.

The Common Name Exclusions/Inclusions table is updated, with Custom in the Built-in column. If the Always authenticate server before applying exclusion policy option has been selected an Information icon displays next to Custom in the Built-in column.

Mouse over the Information icon to see which custom attributes were selected. If a common name was added through the Connection Failure List, the Information icon indicates the type of failure:

Skip CFS category exclusion
Skip Server authentication
Failed to authenticate server
Failed Client handshake
Failed Server handshake

To delete the entry, click the Delete icon in the Configure column.

5
You can search for common names by specifying a filter.
a
In the Filter field, enter a name by specifying the name in this syntax: name:mycommonname.
b
Click the Filter button.
6
Click Accept at the top of the page to confirm the configuration.
Deleting Custom Common Names
To delete custom common names:
1
Do one of the following:
Clicking a custom common name’s Delete icon in the Configure column.
Selecting the name in the Exclusions, and then clicking the Delete button.
Clicking the Delete All checkbox to delete all custom common names. A confirmation message displays. Click OK.
2
Click Accept.
Showing Connection Failures

SonicOS keeps a list of recent DPI-SSL client-related connection failures. This is a powerful feature that:

Lists DPI-SSL failed connections.
Allows you to audit the failed connections.
Provide a mechanism to automatically exclude some failing domains.

The dialog displays the run-time connection failures. The connection failures could be any of the following reasons:

Failure to handshake with the Client
Failure to handshake with the Server
Failed to validate the domain name in the Client Hello
Failure to authenticate the server (the server certificate issuer is not trusted)

The failure list is only available at run-time. The number logged for each failure is limited to ensure a single failure type does not overrun the entire buffer.

To use the connection failure list:
1
Click the Show Connection Failures button. The Connection Failure List dialog displays.

Each entry in this lists displays the:

Client Address
Server Address
Common Name – The common name of the failed connection’s domain. You can edit this entry inline before adding it to the automatic exclusion list.
Error Message – Provides contextual information associated with the connection that enables you to make appropriate choices about excluding this connection.
2
To add an entry to the exclusion list:
a
Select the entry.
b
Make any edits to the entry.
c
Click the Exclude button.
3
To delete an entry:
a
Select it.
b
Click the Clear button.
4
To delete all entries, click the Clear All button.
5
When you have finished, click the Close button.
Specifying CFS Category-based Exclusions/Inclusions

You can exclude/include entities by content filter categories.

To specify CFS category-based exclusions/inclusions:
1
Click the CFS Category-based Exclusions/Inclusions tab.

The status of the list is shown at the top of the tab.

2
Select whether you want to include or exclude the selected categories by clicking either the Exclude (default) or Include radio button. By default, all categories are unselected.
3
Select the categories to be included/excluded. To select all categories, click the Select all Categories checkbox.
4
Optionally, repeat Step 2 and Step 3 to create the opposite list.
5
Optionally, to exclude a connection if the content filter category information for a domain is not available to DPI-SSL, select the Exclude connection if Content Filter Category is not available checkbox. This option is not selected by default.

In most cases, category information for a HTTPS domain is available locally in the firewall cache. When the category information is not locally available, DPI-SSL obtains the category information from the cloud without blocking the client or server communication. In rare cases, the category information is not available for DPI-SSL to make a decision. By default, such sites are inspected in DPI-SSL.

6
Click Accept.

Client DPI-SSL Examples

Topics:  
Content Filtering
To perform SonicWall Content Filtering on HTTPS and SSL-based traffic using DPI-SSL:
1
Navigate to General tab of the DPI-SSL > Client SSL page.

2
Select the Enable SSL Inspection checkbox.
3
Select the Content Filter checkbox.
4
Click Apply.
5
Navigate to the Content Filter Type section of the Security Services > Content Filter page.

6
Ensure Content Filter Service is selected from the drop-down menu.
7
Click the Configure button. The Filter Properties dialog displays.

8
Clear the Enable HTTPS Content Filtering checkbox.
* 
NOTE: HTTPS content filtering is IP and hostname based. While HTTP content filtering can perform redirects to enforce authentication or provide a block page, HTTPS-filtered pages are silently blocked.
9
Select the appropriate categories to be blocked. For information about configuring this dialog, see Configuring Content Filtering Service.
10
Click OK.
11
Click Accept.
12
Navigate to a blocked site using the HTTPS protocol to verify that it is properly blocked.
* 
NOTE: For content filtering over DPI-SSL, the first time HTTPS access is blocked results in a blank page being displayed. If the page is refreshed, the user sees the firewall block page.
App Rules

To filter by application firewall rules, you need to enable them on both the DPI-SSL > Client SSL page and the App Rules > Policies page.

1
Navigate to General section of the DPI-SSL > Client SSL page.

2
Select the Enable SSL Client Inspection checkbox.
3
Select the Application Firewall checkbox.
4
Click Apply.
5
Navigate to App Rules Global Settings section of the Firewall > App Rules page.

6
Select the Enable App Rules.
7
Configure an HTTP Client policy to block Microsoft Internet Explorer browser with block page as an action for the policy. For how to configure an App Rule, see Configuring an App Rules Policy.
8
Click Apply.
9
Access any website using the HTTPS protocol with Internet Explorer to verify it is blocked.

 

Configuring Server DPI-SSL Settings

DPI-SSL > Server SSL

* 
NOTE: For information about DPI SSL, see About DPI-SSL.

The Server DPI-SSL deployment scenario is typically used to inspect HTTPS traffic when remote clients connect over the WAN to access content located on the firewall’s LAN. Server DPI-SSL allows you to configure pairings of an address object and certificate. When the appliance detects SSL connections to the address object, it presents the paired certificate and negotiates SSL with the connecting client.

Afterward, if the pairing defines the server to be cleartext, then a standard TCP connection is made to the server on the original (post NAT remapping) port. If the pairing is not defined to be cleartext, then an SSL connection to the server is negotiated. This allows for end-to-end encryption of the connection.

In this deployment scenario, the owner of the firewall owns the certificates and private keys of the origin content servers. You would have to import the server's original certificate onto the appliance and create an appropriate server IP address to server certificate mappings in the Server DPI-SSL UI.
Topics:  

Configuring DPI-SSL Server Settings

Topics:  

Configuring General Server DPI-SSL Settings

To enable Server DPI-SSL inspection, perform the following steps:
1
Navigate to the General Settings section of the DPI-SSL > Server SSL page.

2
Select the Enable SSL Inspection checkbox.
3
Select the services with which to perform inspection:
Intrusion Prevent
Gateway Anti-Virus
Gateway Anti-Spyware
Application Firewall
4
Click Accept.
5
Scroll down to the SSL Servers section to configure the server or servers to which DPI-SSL inspection is applied. See Configuring Server-to-Certificate Pairings.

Configuring Exclusions and Inclusions

By default, the DPI-SSL applies to all traffic on the appliance when it is enabled. You can configure inclusion/exclusion lists to customize to which traffic DPI-SSL inspection applies. The Inclusion/Exclusion lists provide the ability to specify certain objects or groups. In deployments that process a large amount of traffic, to reduce the CPU impact of DPI-SSL and to prevent the appliance from reaching the maximum number of concurrent DPI-SSL inspected connections, it can be useful to exclude trusted sources.

To customize DPI-SSL server inspection:
1
Navigate to the Inclusion/Exclusion section of the DPI-SSL > Server SSL page.

2
From the Address Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All.
* 
TIP: The Include drop-down menu can be used to fine tune the specified exclusion list. For example, by selecting the Remote-office-California address object in the Exclude drop-down menu and the Remote-office-Oakland address object in the Include drop-down menu.
3
From the User Object/Group Exclude and Include drop-down menus, select an address object or group to exclude or include from DPI-SSL inspection. By default, Exclude is set to None and Include is set to All.
4
Click Accept.

Configuring Server-to-Certificate Pairings

Server DPI-SSL inspection requires that you specify which certificate is used to sign traffic for each server that has DPI-SSL inspection performed on its traffic.

To configure a server-to-certificate pairing:
1
Navigate to the SSL Servers section of the DPI-SSL > Server SSL page.

2
Click the Add button. The Server DPI-SSL - SSL Server Setting dialog displays.

3
In the Address Object/Group drop-down menu, select the address object or group for the server or servers to which you want to apply DPI-SSL inspection.
4
In the SSL Certificate drop-down menu, select the certificate to be used to sign the traffic for the server. For more information on:
Importing a new certificate to the appliance, see Selecting the Re-Signing Certificate Authority.
Creating a LInux certificate, see Creating PKCS-12 Formatted Certificate File.
5
Select the Cleartext checkbox to enable SSL offloading. When adding server-to-certificate pairs, a cleartext option is available. This option provides a method of sending unencrypted data onto a server. By default, this option is not selected.
* 
IMPORTANT: For such a configuration to work properly, a NAT policy needs to be created for this server on the Network > NAT Policies page to map traffic destined for the offload server from an SSL port to a non-SSL port. Traffic must be sent over a port other than 443. For example, for HTTPS traffic used with SSL offloading, an inbound NAT policy remapping traffic from port 443 to port 80 needs to be created for things to work properly.
6
Click Add.