Various methods to distribute SonicWall DPI SSL certificate

Description

Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall's Deep Packet Inspection technology to the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted (intercepted) transparently, scanned for threats, and then re-encrypted and, if no threats or vulnerabilities are found, sent along to its destination.

After performing DPI-SSL inspection, the appliance re-writes the certificate sent by the remote server and signs this newly generated certificate with the certificate specified in the Client DPI-SSL configuration. By default, this is the firewall certificate authority (CA) certificate, but a different certificate can be specified. Users should be instructed to add the certificate to their browser's trusted list to avoid certificate trust errors.

Resolution

TIP: It is always recommended to create your own DPI SSL Certificate For The Purpose Of DPI-SSL Certificate Resigning. You can refer to How Can I Create A DPI-SSL Certificate For The Purpose Of DPI-SSL Certificate Resigning? for the same.

  1. Manual installation of the certificate
    The certificate can be manually added on the end machine at the following sections.
    a) Windows Certificate Store
    How Can I Import The SonicWall DPI-SSL CA Certificate Into The Windows Certificate Store?
    b) Modern Browsers
    How To Install The DPI-SSL Certificate In Modern Browsers
    c) Mozilla Firefox
    Internet Explorer, Chrome, Opera uses the Windows Certificate store to build trust. Mozilla Firefox uses its own certificate store and the CA certificate must be manually imported into the Firefox certificate store.
    How Can I Manually Import The Client DPI-SSL CA Certificate Into Firefox?

  2. Group Policy
    Distributing The Default SonicWall DPI-SSL CA Certificate To Client Computers Using Group Policy

    This can also be done specifically for browsers
    How Can I Distribute SonicWall DPI-SSL CA Certificate To Web Browsers?

  3. Capture Client Policy 
    How Do I Add A SSL Certificate In The Capture Client?

  4. Specific OS based installations
    a) MAC OS
    How To Import The DPI-SSL Client Certificate Under MacOS
    b) Ubuntu OS
    How To Add DPI-SSL CA Certificate On Ubuntu OS?

For more details on DPI SSL, please check Where Can I Learn More About DPI-SSL?

Related Articles

  • How to block ICMP (Ping ) using Application control
    Read More
  • SonicWall GEN8 TZ and NSa Firewalls FAQ
    Read More
  • How to configure Link Aggregation
    Read More

Categories

Firewalls
NSa Series
Client/Server DPI-SSL
Firewalls
SonicWall SuperMassive 9000 Series
DPI-SSL
Firewalls
SonicWall SuperMassive E10000 Series
DPI-SSL
Firewalls
TZ Series
DPI-SSL
not finding your answers?
Ask the Community