How can I configure Client DPI-SSL?
12/20/2019 932 35088
Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall's Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.
The following security services and features are capable of utilizing DPI-SSL:
- Gateway Anti-Virus Gateway
- Intrusion Prevention
- Content Filtering
- Application Firewall
- Packet Capture
- Packet Mirror
Don't want to read? Watch instead!
Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.
A commonly used certificate is the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate . This certificate should be added to the browser to eliminate certificate trust errors. In the case of Chrome and IE, this is a part of the Windows Certificate Store, however for Firefox, this has to be added manually.
As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with sophisticated processing capabilities. The cybersecurity industry is moving to stronger 2048-bit encryption to help preserve internet security
- Internet Explorer:,Navigate to Tools | Internet Options, click Content tab and click Certificates.
Click Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard will guide you through importing the certificate.
- Firefox, Navigate to Tools | Options, click the Advanced tab and then the Encryption tab. Click View Certificates, select the Authorities tab, and click Import. Select the certificate file, make sure the Trust this CA to identify websites check box is selected, and click OK.
- Mac, Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.
How to Test:
Start a packet capture on the SonicWall. Make sure you have enabled Monitor intermediate SSL decrypted traffic under the Advanced tab of Packet Monitor. Go to https://mail.google.com or any other HTTPS website. Open the capture file. You will be able to see both HTTPS and HTTP traffic as below:
The screen shot below is an example of ESMTP (465) traffic being decrypted.