How to block OpenDoor proxy using App Rules and Client DPI-SSL

Description

OpenDoor is a proxy application for Apple iPad, iPhone and iPad. OpenDoor allows users to bypass firewall restrictions and browse the Internet freely. It is a browser based proxy using HTTPS to establish connections.

This article describes how to block OpenDoor using App Rules (Application Firewall) with Client DPI-SSL enabled.

Resolution for SonicOS 7.X

This release includes significant user interface changes and many new features that are different from the SonicOS 6.5 and earlier firmware. The below resolution is for customers using SonicOS 7.X firmware.


Here's how to block OpenDoor using App Rules:

  1. Login to the Firewall management,then navigate to Object | Match Objects | Match Object
  2. Click on Add New Match Object to open the Add/Edit Match Object window.
  3. Under Object Name, enter a name for this Match Object.
  4. Under Match Object Type, select Custom Object from the drop-down.
  5. Set Match Type to Exact Match (default).
  6. Set Input Representation to Hexadecimal.
  7. Enter the following hexadecimal values under Content and click on Add after each value:    

    6170690b637269747465726369736d03636f6d  (hex for api.crittercism.com)
    6F70656E646F6F72 (hex for opendoor)
    637269747465726369736d2e636f6d (hex for crittercism.com)
    6f70656e646f6f726170702e636f6d ((hex for opendoorapp.com)

  8. Click OK to save.
    Image
    Image
  9. Navigate to the Policy | Rules and Policy | App rules  page and create the following App Rule referencing the above Match Object. Make sure Connection Side and Direction are set to Both.
    Image
  10. On the App control page enable check box Enable App Rules.

Enabling Client DPI-SSL

Note: Before enabling Client DPI-SSL, administrators must be aware that Client DPI-SSL will proxy all outgoing SSL connections. To this end, SonicWall will re-sign the SSL certificates passing to hosts. This in turn will trigger certificate errors in the browsers. To avoid these errors, import the SonicWall DPI-SSL CA certificate as a trusted Root CA into the browser's (or the computer's) certificate store. For more information, see: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group Policy

  1. Navigate to the Policy | DPI-SSL | Client SSL page.
  2. Enable check box Enable SSL Client Inspection.
  3. Enable check box Intrusion Prevention.
  4. Click on Accept at the top to save the changes.
    Image

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.


Here's how to block OpenDoor using App Rules:

  1. Login to Firewall management, then navigate to Manage | Object | Match Objects.
  2. Click on Add New Match Object to open the Add/Edit Match Object window.
  3. Under Object Name, enter a name for this Match Object.
  4. Under Match Object Type, select Custom Object from the drop-down.
  5. Set Match Type to Exact Match (default).
  6. Set Input Representation to Hexadecimal.
  7. Enter the following hexadecimal values under Content and click on Add after each value:6170690b637269747465726369736d03636f6d  (hex for api.crittercism.com)
    6F70656E646F6F72 (hex for opendoor)
    637269747465726369736d2e636f6d (hex for crittercism.com)
    6f70656e646f6f726170702e636f6d ((hex for opendoorapp.com)
  8. Click OK to save.

                                                                Image

        9.Navigate to the Manage| Rules | App Rules page and create the following App Rule referencing the above Match Object. Make sure Connection Side and Direction are set to Both.


                                              Image

        10.On the App Rules page enable check box Enable App Rules.

Enabling Client DPI-SSL

Note: Before enabling Client DPI-SSL, administrators must be aware that Client DPI-SSL will proxy all outgoing SSL connections. To this end, SonicWall will re-sign the SSL certificates passing to hosts. This in turn will trigger certificate errors in the browsers. To avoid these errors, import the SonicWall DPI-SSL CA certificate as a trusted Root CA into the browser's (or the computer's) certificate store. For more information, see: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group Policy

  1. Navigate to the DPI-SSL | Client SSL page.
  2. Enable check box Enable SSL Client Inspection.
  3. Enable check box Intrusion Prevention.
  4. Click on Accept at the top to save the changes.

                                                Image


Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

Here's how to block OpenDoor using App Rules:

  1. Go to Firewall | Match Objects.
  2. Click on Add New Match Object to open the Add/Edit Match Object window.
  3. Under Object Name, enter a name for this Match Object.
  4. Under Match Object Type, select Custom Object from the drop-down.
  5. Set Match Type to Exact Match (default).
  6. Set Input Representation to Hexadecimal.
  7. Enter the following hexadecimal values under Content and click on Add after each value:
    • 6170690b637269747465726369736d03636f6d  (hex for api.crittercism.com)
    • 6F70656E646F6F72 (hex for opendoor)
    • 637269747465726369736d2e636f6d (hex for crittercism.com)
    • 6f70656e646f6f726170702e636f6d ((hex for opendoorapp.com)
  8. Click OK to save.

    Image

  9. Navigate to the Firewall | App Rules page and create the following App Rule referencing the above Match Object. Make sure Connection Side and Direction are set to Both.
    Image

  10. On the App Rules page enable check box Enable App Rules.

Enabling Client DPI-SSL

Note: Before enabling Client DPI-SSL, administrators must be aware that Client DPI-SSL will proxy all outgoing SSL connections. To this end, SonicWall will re-sign the SSL certificates passing to hosts. This in turn will trigger certificate errors in the browsers. To avoid these errors, import the SonicWall DPI-SSL CA certificate as a trusted Root CA into the browser's (or the computer's) certificate store. For more information, see: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group Policy

  1. Navigate to the DPI-SSL | Client SSL page.
  2. Enable check box Enable SSL Client Inspection.
  3. Enable check box Intrusion Prevention.
  4. Click on Accept at the top to save the changes.

Image

Testing
Test by accessing a website in the OpenDoor browser.


Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
TZ Series
not finding your answers?
Ask the Community