- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How to decrypt HTTPS Traffic using DPI-SSL?
11/10/2021 
1,170 People found this article helpful
72,168 Views
Description
Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall's Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.
The following security services and features are capable of utilizing DPI-SSL:
- Gateway Anti-Virus Gateway
- Anti-Spyware
- Intrusion Prevention
- Content Filtering
- Application Firewall
- Packet Capture
- Packet Mirror
Don't want to read? Watch instead!
Resolution
Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.
A commonly used certificate is the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate . This certificate should be added to the browser to eliminate certificate trust errors. In the case of Chrome and IE, this is a part of the Windows Certificate Store, however for Firefox, this has to be added manually.
- Login to the SonicWall Management GUI.
- Navigate to Manage | Deep Packet Inspection | SSL Client Deployment.
- On the Client SSL page, check Enable SSL Client Inspection. Once DPI-SSL Client Inspection is enabled, SonicWall will seamlessly and transparently decrypt all SSL traffic passing through it. You will be able to apply Security Services on the clear-text portion of the SSL encrypted payload passing through it.
CAUTION: Before enabling SSL Client Inspection make sure you have imported the client DPI-SSL Certificate in all the computers otherwise the network may be impacted as all HTTPS websites will start showing a Certificate Error.
To avoid certificate trust errors and to enable the re-signing certificate authority to successfully re-sign certificates, browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.
IMPORTING THE CERTIFICATE ON THE COMPUTERS:
- On the firewall go to Manage | Deep Packet Inspection | SSL Client Deployment | Certificate page, click on the (download) link to download the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate.
NOTE: It is recommended to use 2048 bit DPI-SSL certificate instead of 1024 bit certificate . As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with sophisticated processing capabilities. The cybersecurity industry is moving to stronger 2048-bit encryption to help preserve internet security
- For Chrome/Edge/IE:
- Double click on the downloaded certificate
- Select Install Certificate
- Choose whether to install for the current user or the local machine
- Select "Place all certificates in the following store"
- Browse and select Trusted Root Certification Authorities tab
- Click Finish. The Certificate Import Wizard will guide you through importing the certificate.
- Firefox:
- Enter in the URL: about:preferences#privacy
- Scroll Down under Certificates and click View Certificates
- Click Import
- Select the downloaded certificate
- Select "Trust this CA to identify web sites" and "Trust this CA to identify email users"
- Click Ok
- Mac, Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.
How to Test:
Start a packet capture on the SonicWall. Make sure you have enabled Monitor intermediate SSL decrypted traffic under the Advanced tab of Packet Monitor. Go to https://mail.google.com or any other HTTPS website. Open the capture file. You will be able to see both HTTPS and HTTP traffic as below:
The screen shot below is an example of ESMTP (465) traffic being decrypted.
Related Articles
- How can I configure a VPN between a SonicWall firewall and Microsoft Azure?
- Supported Public Cloud Servers/Instance Sizes on SonicWall NSv Series Models
- How to force an update of the Security Services Signatures from the Firewall GUI
Categories
- Firewalls > TZ Series > DPI-SSL
- Firewalls > SonicWall NSA Series > DPI-SSL
- Firewalls > NSa Series > Client/Server DPI-SSL
- Firewalls > NSv Series > Client/Server DPI-SSL
YES
NO