How Can I Configure Client DPI-SSL on NSSP 13700?
07/12/2021 1 1153
Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall's Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats, and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.
The following security services and features are capable of utilizing DPI-SSL:
- Gateway Anti-Virus Gateway
- Intrusion Prevention
- Content Filtering
- Application Firewall
- Packet Capture
- Packet Mirror
NOTE: During the initial release, NSSP 13700 only supports Global mode and not Policy mode.
Client DPI-SSL deployment scenario typically is used to inspect SSL traffic when clients on the LAN browse content located on the WAN.
A commonly used certificate is the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate. This certificate should be added to the browser to eliminate certificate trust errors. In the case of Chrome and IE, this is a part of the Windows Certificate Store, however, for Firefox, this has to be added manually.
- Login to the SonicWall Management GUI.
- Navigate to Policy | DPI-SSL | Client SSL
- On the Client SSL page, toggle the switch to enabled state for Enable SSL Client Inspection.
Once DPI-SSL Client Inspection is enabled, SonicWall will seamlessly and transparently decrypt all SSL traffic passing through it. You will be able to apply Security Services on the clear-text portion of the SSL encrypted payload passing through it.
TIP: Always enable SSL CLient Inspection after you have successfully imported the Firewall DPI SSL CA certificate to the intended clients, otherwise it may lead to unnecessary certificate errors. Please check the next section for the same.
To avoid certificate trust errors and to enable the re-signing certificate authority to successfully re-sign certificates, browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.
In the Policy | DPI-SSL | Client SSL | Certificate page, click on the Download button to download the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate.
NOTE: It is recommended to use 2048 bit DPI-SSL certificate instead of 1024 bit certificate.
As computer power increases, anything less than 2048-bit certificates is at risk of being compromised by hackers with sophisticated processing capabilities. The cybersecurity industry is moving to stronger 2048-bit encryption to help preserve internet security
NOTE: Browsers like Google Chrome, IE and Microsoft Edge use the default Windows certificate store, but Mozilla Firefox has its own certificate store. So, even if the certificate is imported to the Windows certificate store, it would need to imported separately to Firefox browser.
You can use the following methods to import the DPI SSL CA certificate to your end clients.
On a Windows machine:
- Open Microsoft Management Console by typing MMC in Run
- Click on File and select Add/Remove Snap-in.
- Click on Certificates and click Add.
- Select Local Machine store.
- Select Computer Account and click Next.
- Click Finish.
- Click OK.
- Right-click on Trusted Root CA Certificates folder.
- Click on All Tasks and click on Import.
- Click Next and browse to the location where the SonicWall DPI-SSL certificate is saved.
- Select the certificate and click Open.
- Click on Next and then Finish.
- Close the console.
On Mozilla Firefox Browser:
Navigate to Settings| Privacy & Security, scroll down to Certificates section. Click on View Certificates. Select the Authorities tab, and click Import. Select the certificate file, make sure the Trust this CA to identify websites check box is selected, and click OK.
On MAC device:
Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.
TIP: Use the following link to find more ways to install/distribute the DPI SSL CA certificate.
Various Methods To Distribute SonicWall DPI SSL Certificate