Client DPI-SSL Frequently Asked Questions (FAQ)
12/20/2019 642 35367
Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall’s Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.
- What are the SSL applications/ports proxied by Client DPI-SSL?
The following applications are proxied by Client DPI-SSL.
- Will connections to custom SSL ports be proxied by Client DPI-SSL?
Yes. DPI-SSL examines SSL traffic regardless of the port number.
- What versions of SSL/TLS protocol does Client DPI-SSL use when proxying SSL connections?
SSLv23, SSLv3, TLS 1.0, TLS 1.1, TLS 1.2
- What is the default SSL protocol version of the proxied connections negotiated by Client DPI-SSL?
By default, it isTLS 1.2. This can be changed in the diag page. If the default protocol (SSLv3) is selected then connections to sites with only TLS 1.0 and above will fail.
- What is SSLv23?
SSLv23 is a method by which the SonicWall will negotiate with either SSLv3 or TLSv1 depending on what the server supports.
- Is it possible to use a certificate other than the default DPI-SSL CA certificate?
Yes, an internal CA certificate with its private key must be imported into the SonicWall before it can be used in Client DPI-SSL for re-signing. Although the drop-down menu under Certificate re-signing Authority on the Client DPI-SSL page allows users to select any end-entity certificate imported into the SonicWall, an internal CA certificate is required to re-sign successfully.
- Can I import a web server certificate obtained from a Public (or Private) CA for the purpose of DPI-SSL Client Inspection?
No, see above.
- I have enabled Client DPI-SSL and now all my hosts in the network get browser errors when going to a HTTPS website.
When an SSL connection is attempted, Client DPI-SSL intercepts the traffic and presents a re-signed certificate to the browser. The issuer of the certificate would be the Default SonicWall DPI-SSL CA Certificate. This certificate must be trusted by the browser or other applications attempting SSL connections. To stop the browser warnings, import the Client DPI-SSL certificate into the browser's Certificate Store as a Trusted CA.
- My SSL connections are being proxied by DPI-SSL. I am using the default Firewall DPI-SSL certificate. However, the connections to certain sites show a self-signed certificate. The Issued By and Issued To fields in the certificate show the FQDN of the site.
When a host behind the SonicWall tries to access a HTTPS website, SonicWall performs separate SSL handshakes with the website and the host. During the SSL handshake between the SonicWall and the website, the website presents its certificate. If the CA of the said certificate is not in its certificate store, SonicWall re-signs the certificate as a self-signed certificate. This self-signed certificate wouldn’t be trusted by browsers and therefore the certificate error. To avoid this error, manually import the missing (Root and/or Intermediate) CA certificates of the website into the SonicWall’s certificate store.
- With DPI-SSL Client Inspection enabled, when browsing to certain sites, the page loads successfully but IE shows a yellow band with error message "Internet Explorer has blocked this website from security certificate errors."
The webpage has a background script connecting over HTTPS to another site and that site's CA certificates are not in the SonicWall certificate store. Import the CA certificates into the SonicWall certificate store.
- Can DPI-SSL block sites with untrusted certificates?
Yes. Enable the option Block connections to sites with untrusted certificates in the diag page. This option is disabled by default.
- Can Client DPI-SSL be excluded from proxying certain SSL traffic?
Yes. Administrators can configure exclusions based on IP addresses, ports, users or by the certificate Common Names (CN).
- Can Client DPI-SSL intercept and proxy SSL traffic beginning with the StartTLS command?
Yes it can. As long as the Client Hello packet is sent within the first 512 bytes (by default), it will be proxied. This can be changed in the diag page under the DPI-SSL section. The maximum value is 8191.
- How do I know whether Client DPI-SSL is intercepting and proxying SSL traffic?
On a host behind the SonicWall, click on the "lock" icon in the browser address bar and view the certificate information. If Client DPI-SSL has proxied the connection, the Issued By of the certificate will be the default or custom DPI-SSL CA certificate.
- How do I see packets decrypted by DPI-SSL Client Inspection?
Decrypted packets can be captured in the Packet Monitor module of the SonicWall. Before starting the capture, enable the check box Monitor intermediate SSL decrypted traffic in the Advanced tab of Packet Monitor. The captured packets can be exported as Libpcap, HTML or text.
- How do I warn users that DPI-SSL is being implemented on their SSL traffic?
SonicWall does not recommend any particular method though CFS Consent Page can be deployed for this purpose.
- Can Client DPI-SSL proxy SSL traffic from GVC clients when the UTM appliance is configured in Route-All (Tunnel All) VPN mode?
SSL traffic of GVC and L2TP clients, when configured in Route-all (Tunnel All) mode, will be proxied by DPI-SSL.
- How do I distribute the Client DPI-SSL CA certificate to different web browsers?
In MS Windows, Internet Explorer, Chrome, Opera browsers share the system certificate store. When a CA certificate is imported as a Trusted Root CA into the Local Machine store or the Local User store, any certificate signed by the CA is trusted by these browsers. This can also be done using the Microsoft Certutil command-line utility with the following command:
certutil -addstore -f -enterprise -user root dpi-ssl.crt > NUL
The process can be automated via Group Policy and other such means. Refer this article for a detailed description of the process using Group Policy: UTM: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group Policy.Alternatively, this can be done using the NSS Certutil utility with the following command:
certutil -A -n "CN=SonicWall Firewall DPI-SSL" -t C -d C:UsersAppDataRoamingMozillaFirefoxProfileshbbc3850.default -i dpi-ssl.crt
NOTE: The utilities cited here are third-party applications and are referred here only as one of possibly many solutions for automatic deployment of CA certificates. SonicWall is not responsible for the functioning, or non-functioning for that matter, of these utilities.
- How do I distribute Client DPI-SSL certificate to non-browser apps?
Where the apps use the Local Machine certificate store for the Root CAs, importing it into the Local Machine store would suffice. Where the app has its own certificate store, the CA certificate must be imported manually into the store.
- What is the maximum number of DPI-SSL connections for SonicWall Firewall?
Please click on the link below for the maximum number of DPI-SSL connections supported by Different SonicWall appliances:Maximum DPI-SSL Connections for SonicWall Firewalls.
- What happens when the device exceeds the maximum number of SSL connections?
The default behavior is to allow traffic without DPI-SSL inspection. This can be changed in the diag page of the SonicWall by disabling the option Allow SSL without proxy when connection limit exceeded. With this option disabled, SSL connections will be dropped when the number of SSL connections exceeds the maximum number.
- Why is the first connection attempt to a website that is added in Common Name (CN) Exclusion of Client DPI-SSL dropped?
When a client attempts a connection to a CN excluded website the first time, SonicWall performs the server side SSL Handshake; discovers from the Certificate message that the site is in the CN exclusion list; drops the connection because the Handshake is done with SonicWall as the client; caches the IP address mapped to the Certificate Common Name. In the second attempt to connect to the website by way of automatic or manual refresh, SonicWall knows from the first packet itself (TCP SYN) that the connection needs to be exempted from DPI-SSL Client Inspection. This saves appliance resources by not having to do the server side SSL handshake all over again.
- Which certificate should i select for download 1024 bit or 20148 bit?
It is recommended to use 2048 bit DPI-SSL certificate instead of 1024 bit certificate .As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with sophisticated processing capabilities. The cybersecurity industry is moving to stronger 2048-bit encryption to help preserve Internet security.