Frequently asked questions about DPI-SSL Enhancements in SonicOS 6.2.5 firmware
1. What are the new Client DPI-SSL Enhancements?
Inclusion/exclusion using Content Filtering Service (CFS) based categories
Common Name Exclusions/Inclusions
Connection Failure List
Always authenticate server for decrypted connections
Always authenticate server before applying exclusion policy
Disable IP based exclusion cache in proxy deployments
TLS 1.1 and TLS 1.2 support
2. How does DPI-SSL obtain CFS Category Rating for a website?
As in Content Filtering Service, the category / rating information related to a domain is obtained by querying an external Rating/Category Server.
3. How is the domain name obtained?
The domain name for which the rating is queried is obtained from the (1) Client Hello SNI or (2) Certificate Common Name in the Certificate (3) Subject Alternate Name in the Certificate during the SSL handshake between the SonicWall and the server.
4. Should Content Filter be licensed for Category Rating?
5. Should CFS be enabled under Zones?
For DPI-SSL alone, it's not required.
6. Can individual websites be skipped from CFS Category based Exclusion / Inclusion?
Yes. This can be done by adding websites under the Common Name tab and selecting the action Skip CFS Category-based Exclusion
7. In the DPI-SSL section on the diag page, the option to select either TLS 1.1 or TLS 1.2 is not listed?
The option ALL implies TLS 1.2, TLS 1.1, TLS 1.0 and SSL 3.0
8. When a website whose category is excluded from DPI-SSL is loaded the first time, it shows the certificate is re-signed by Client DPI-SSL?
This is because DPI-SSL by default intercepts all SSL connections. Refreshing the page will show the original certificate.
9. With this enhancement, can Dropbox traffic be inspected?
No. Dropbox like many other applications does not allow Man-in-the-Middle SSL proxies. Dropbox must be excluded from inspection under custom Common Name exclusions.
10. Is it possible to inspect Google Drive traffic?
No. As with Dropbox, Google Drive must be excluded from DPI-SSL.