Main Menu
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • English English English en
  • BLOG
  • CONTACT SALES
  • FREE TRIALS
  • English English English en
SonicWall
  • Products
    • Network Security
      • Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
      • Security ServicesComprehensive security for your network security solution
      • Network Security ManagerModern Security Management for today’s security landscape
    • Advanced Threat Protection
      • Capture ATPMulti-engine advanced threat detection
      • Capture Security applianceAdvanced Threat Protection for modern threat landscape
    • Access Security
      • Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
      • Secure Mobile AccessRemote, best-in-class, secure access
      • Wireless Access PointsEasy to manage, fast and secure Wi-FI
      • SwitchesHigh-speed network switching for business connectivity
    • Email Security
      • Email SecurityProtect against today’s advanced email threats
    • Cloud Security
      • Cloud App SecurityVisibility and security for Cloud Apps
      • Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
    • Endpoint Security
      • Capture ClientStop advanced threats and rollback the damage caused by malware
      • Content Filtering ClientControl access to unwanted and unsecure web content
    • Product Widgets
      • Product Menu Right Image
      • Capture Cloud Platform
        Capture Cloud Platform

        A security ecosystem to harness the power of the cloud

    • Button Widgets
      • Products A-Z
        all products A–Z FREE TRIALS
  • Solutions
    • Industries
      • Distributed Enterprises
      • Retail & Hospitality
      • K-12 Education
      • Higher Education
      • State & Local
      • Federal
      • Healthcare
      • Financial Services
      • Carriers
    • Use Cases
      • Secure SD-Branch
      • Zero Trust Security
      • Secure SD-WAN
      • Office 365 Security
      • SaaS Security
      • Secure WiFi
    • Solutions Widgets
      • Solutions Content Widgets
        Federal

        Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions

      • Solutions Image Widgets
  • Partners
    • SonicWall Partners
      • Partners Overview
      • Find a Partner
      • Authorized Distributors
      • Technology Partners
    • Partner Resources
      • Become a Partner
      • SonicWall University
      • Training & Certification
    • Partner Widgets
      • Custom HTML : Partners Content WIdgets
        Partner Portal

        Access to deal registration, MDF, sales and marketing tools, training and more

      • Partners Image Widgets
  • Support
    • Support
      • Support Portal
      • Knowledge Base
      • Technical Documentation
      • Community
      • Video Tutorials
      • Product Life Cycle Tables
      • Partner Enabled Services
      • Contact Support
    • Resources
      • Resource Center
      • Free Trials
      • Blog
      • SonicWall University
      • MySonicWall
    • Capture Labs
      • Capture Labs
      • Security Center
      • Security News
      • PSIRT
      • Application Catalog
    • Support Widget
      • Custom HTML : Support Content WIdgets
        Support Portal

        Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials

      • Support Image Widgets
  • COMPANY
    • Boundless Cybersecurity
    • Press Releases
    • News
    • Awards
    • Leadership
    • Press Kit
    • Careers
  • PROMOTIONS
    • SonicWall Promotions
    • Customer Loyalty Program
  • MANAGED SERVICES
    • Managed Security Services
    • Security as a Service
    • Professional Services
  • Contact Sales
  • Menu

DPI-SSL Troubleshooting

10/14/2021 824 People found this article helpful 116,762 Views

    Download
    Print
    Share
    • LinkedIn
    • Twitter
    • Facebook
    • Email
    • Copy URL The link has been copied to clipboard

    Description

    The following article provides in-depth troubleshooting for common DPI-SSL certificate related issues.

    Resolution

     

    Resolution for SonicOS 6.5

    This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

     

    When accessing a website you get an error stating your connection is not secure.

    Image

    This is caused by not having the DPI-SSL resigning Certificate installed as a Trusted Root Certification Authority on this device.

    You need o download the SonicWall DPI SSL certificate from the appliance interface in Manage | Deep Packet Inspection | SSL Client Deployment | Certificates 

    Image

    Internet Explorer/Chrome: Open Internet Explorer. Go to Tools | Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard will guide you through importing the certificate

    Image

    Firefox: Go to Tools | Options, click the Advanced tab and then the Certificates Tab.  Select the Authorities tab, and click Import. 

    Image

    Select the certificate file, make sure the Trust this CA to identify websites check box is selected, and click OK.

    Image

    When accessing a website you get an error Secure Connection Failed(SEC_ERROR_INADEQUATE_KEY_USAGE)

    Image

     

    This is caused when the certificate used doesn't have resigning authority from your CA.

    This process can be automated in a Windows Domain Environment using Group Policy. You can see the following article: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group Policy

    Certificate Errors in Browsers - Self-signed certificate

    When Client DPI-SSL is enabled, accessing a few websites may cause the browser to display a certificate error. The specific error message could vary with different browsers. In Firefox it would show invalid security certificate and in Chrome the error message is Invalid Certificate Authority. In the certificate details, we would see the certificate is self-signed.

    This error occurs rarely with some websites. This error occurs when the server sends a certificate signed by a CA not in the SonicWall's certificate store forcing the SonicWall to re-sign the certificate as self-signed certificate.

    To resolve this issue, export the Root CA certificate of the website (either from a PC not intercepted by DPI-SSL or by disabling DPI-SSL temporarily) and import it into the SonicWall certificate store.

    This is done from Manage | Appliance | Certificates 

    Image


    By default, when a server presents a certificate which cannot be verified by Client DPI-SSL because the Root CA is not present in its certificate store, it re-writes the certificate as a self-signed certificate. This default behavior of the SonicWall can be changed.

    Go to the diag page of the SonicWall by entering http://<deviceip>/diag.html. Under the DPI-SSL section, enable the option Block connections to sites with untrusted certificates. Click on Accept to save the change.

    CAUTION: This is not recommended. 

     

    Client DPI-SSL and non-browser applications

    There are certain applications which do not work when Client DPI-SSL is enabled though the SonicWall Client DPI-SSL CA certificate is imported into the certificate store. This is because such applications and/or websites do certificate pinning or SSL pinning. Certificate pinning is an extra check to make sure that the server the client is connecting to is really who they say they are, and not an impostor.

    These applications include:

    • Windows Update
    • DropBox Client App
    • Apple App Store
    • Logmein Client
    • Google Drive Client App

    To allow these applications to work what we need to do is white list these certificates from DPI-SSL. When you add a certificate to this white list is will exclude any address that uses that certificate from being scanned by any of the DPI-SSL engines. We maintain a built in certificate white list to prevent connection issues with common websites.

    To view this list you will need to access Manage | Deep Packet Inspection | SSL Client Deployment | Common Name

     Image


    You can add exceptions in two ways.

    The first way is if you know the common name of the certificate you want to exclude. You click on add, and you can add the common names of the certificates you want to exclude.

     Image

    The second way is when you click on Show Connection Failures

    Image


    On this screen it will present you a list of websites that have had SSL connection failures while DPI-SSL is enabled. You can check the box next to any of these and click exclude to add them to the common name exclusion list.

    Image

    Connection Limits

    Websites like Google, Yahoo and others begin to put more importance towards customer privacy. Most companies are moving towards HTTPS services while others offer a choice of both HTTP and HTTPS. On an average more than 50% of network traffic is SSL/TSL and is increasing. With these Changes the connections per user are on the rise. All web browsers use multiple connections per user per page request. Many websites use encryption by default.

    The following table shows some average TCP connections per user accessing various sites:

    • google.com 8 Yes
    • facebook,com 43 Yes
    • youtube.com 23 Yes
    • yahoo.com 31 Yes

    SonicWall's Deep Packet Inspection technology Extends across all applicable HTTPS traffic and SSL based traffic. DPI-SSL is resource intensive, so system resource needs balancing with other functionalities. The max concurrent DPI-SSL connection limit sets an upper limit on the resources allocation to DPI-SSL. Each firewall has a different maximum connection limit. This can be viewed from the Manage | Deep Packet Inspection | SSL Client Deployment. At the top under connection status you can see the maximum connection limit for your device.

    Image

    To manage around this it is recommended to exclude trusted traffic from DPI-SSL this can be done in two ways.

    The first way is to exclude based on Object in Manage | Deep Packet Inspection | SSL Client Deployment | Objects

     

    Image

    You can include and exclude based on Address/Service/User objects.

    See Also: 

    How to Configure service objects

    Understanding Address Objects in SonicOS

    The second way is to exclude based on CFS Category.

    This is done from Manage | Deep Packet Inspection | SSL Client Deployment | CFS Category-based Exclusion/Inclusion

    On this screen you can set whether you want to include or exclude based on Content Filter categories. And then select those categories. It is recommended to exclude the Online Banking and Health categories due to privacy concerns.

     Image

    Resolution for SonicOS 6.2 and Below

    The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

     

     

    When accessing a website you get an error stating your connection is not secure.


    Image


    This is caused by not having the DPI-SSL resigning Certificate installed as a Trusted Root Certification Authority on this device.

    You need to download the SonicWall DPI SSL certificate from the appliance interface in DPI-SSL | Client SSL | Certificates 

    Image

    Internet Explorer/Chrome: Open Internet Explorer. Go to Tools | Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard will guide you through importing the certificate

    Image

    Firefox: Go to Tools | Options, click the Advanced tab and then the Certificates Tab.  Select the Authorities tab, and click Import. 

    Image

    Select the certificate file make sure the Trust this CA to identify websites check box is selected, and click OK.

    Image

    When accessing a website you get an error Secure Connection Failed(SEC_ERROR_INADEQUATE_KEY_USAGE)

    Image

     

    This is caused when the certificate used doesn't have resigning authority from your CA.

    This process can be automated in a Windows Domain Environment using Group Policy. You can see the following article: Distributing the Default SonicWall DPI-SSL CA certificate to client computers using Group Policy

    Certificate Errors in Browsers - Self-signed certificate

    When Client DPI-SSL is enabled, accessing a few websites may cause the browser to display a certificate error. The specific error message could vary with different browsers. In Firefox it would show invalid security certificate and in Chrome the error message is Invalid Certificate Authority. In the certificate details, we would see the certificate is self-signed.

    This error occurs rarely with some websites. This error occurs when the server sends a certificate signed by a CA not in the SonicWall's certificate store forcing the SonicWall to re-sign the certificate as self-signed certificate.

    To resolve this issue, export the Root CA certificate of the website (either from a PC not intercepted by DPI-SSL or by disabling DPI-SSL temporarily) and import it into the SonicWall certificate store.

    This is done from System | Certificates | Import

     

    Image

    By default, when a server presents a certificate which cannot be verified by Client DPI-SSL because the Root CA is not present in its certificate store, it re-writes the certificate as a self-signed certificate. This default behavior of the SonicWall can be changed.

    Go to the diag page of the SonicWall by entering http://<deviceip>/diag.html. Under the DPI-SSL section, enable the option Block connections to sites with untrusted certificates

     

    Image


    Click on Accept to save the change.

    CAUTION: This is not recommended. 

     

    Client DPI-SSL and non-browser applications

    There are certain applications which do not work when Client DPI-SSL is enabled though the SonicWall Client DPI-SSL CA certificate is imported into the certificate store. This is because such applications and/or websites do certificate pinning or SSL pinning. Certificate pinning is an extra check to make sure that the server the client is connecting to is really who they say they are, and not an impostor.

    Here are some of such applications:

    • Windows Update
    • DropBox Client App
    • Apple App Store
    • Logmein Client
    • Google Drive Client App

    To allow these applications to work what we need to do is white list these certificates from DPI-SSL. When you add a certificate to this white list is will exclude any address that uses that certificate from being scanned by any of the DPI-SSL engines. We maintain a built in certificate white list to prevent connection issues with common websites.

    To view this list you will need to access DPI-SSL | Client SSL | Common Name

     Image


    You can add exceptions in two ways.

    The first way is if you know the common name of the certificate you want to exclude. You click on add, and you can add the common names of the certificates you want to exclude.

    Image

    The second way is when you click on Show Connection Failures

    Image


    On this screen it will present you a list of websites that have had SSL connection failures while DPI-SSL is enabled. You can check the box next to any of these and click exclude to add them to the common name exclusion list.

    Image

    Connection Limits

    Websites like Google, Yahoo and others begin to put more importance towards customer privacy. Most companies are moving towards HTTPS services while others offer a choice of both HTTP and HTTPS. On an average more than 50% of network traffic is SSL/TSL and is increasing. With these Changes the connections per user are on the rise. All web browsers use multiple connections per user per page request. Many websites use encryption by default.

    The following table shows some average TCP connections per user accessing various sites:

    • google.com 8 Yes
    • facebook,com 43 Yes
    • youtube.com 23 Yes
    • yahoo.com 31 Yes

    SonicWall's Deep Packet Inspection technology Extends across all applicable HTTPS traffic and SSL based traffic. DPI-SSL is resource intensive, so system resource needs balancing with other functionalities. The max concurrent DPI-SSL connection limit sets an upper limit on the resources allocation to DPI-SSL. Each firewall has a different maximum connection limit. This can be viewed from the DPI-SSL | Client SSL. At the top under connection status you can see the maximum connection limit for your device.

     

    Image

    To manage around this it is recommended to exclude trusted traffic from DPI-SSL this can be done in two ways.

    The first way is to exclude based on Object in DPI-SSL | Client SSL | Objects

    Image

    You can include and exclude based on Address/Service/User objects.

    See Also: 

    How to Configure service objects

    Understanding Address Objects in SonicOS

     

    The second way is to exclude based on CFS Category.

    This is done from DPI-SSL | Client SSL | CFS Category-based Exclusion/Inclusion

    On this screen you can set whether you want to include or exclude based on Content Filter categories. And then select those categories. It is recommended to exclude the Online Banking and Health categories due to privacy concerns.

    Image

    Related Articles

    • App Control fails by schema error when editing VPN category
    • How to remove 2FA for admin using CLI
    • 2FA authentication error using TOTP "Please try again later"

    Categories

    • Firewalls > SonicWall NSA Series > DPI-SSL
    • Firewalls > SonicWall SuperMassive 9000 Series > DPI-SSL
    • Firewalls > TZ Series > DPI-SSL

    Not Finding Your Answers?

    ASK THE COMMUNITY

    Was This Article Helpful?

    YESNO

    Article Helpful Form

    Article Not Helpful Form

    Company
    • Careers
    • News
    • Leadership
    • Awards
    • Press Kit
    • Contact Us
    Popular resources
    • Communities
    • Blog
    • SonicWall Capture Labs

    Stay In Touch

    • By submitting this form, you agree to our Terms of Use and acknowledge our Privacy Statement. You can unsubscribe at any time from the Preference Center.
    • This field is for validation purposes and should be left unchanged.
    • Facebook
    • Twitter
    • Linkedin
    • Youtube
    • Instagram

    © 2022 SonicWall. All Rights Reserved.

    • Legal
    • Privacy
    • English
      Scroll to top
      Trace:8aab0ed913a2dfc0ab0713be2a845ae2-92