How to decrypt HTTPS Traffic using DPI-SSL?
11/10/2021
1,183 People found this article helpful
127,510 Views
Description
Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall's Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.
The following security services and features are capable of utilizing DPI-SSL:
- Gateway Anti-Virus Gateway
- Anti-Spyware
- Intrusion Prevention
- Content Filtering
- Application Firewall
- Packet Capture
- Packet Mirror
Don't want to read? Watch instead!
Resolution
Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.
A commonly used certificate is the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate . This certificate should be added to the browser to eliminate certificate trust errors. In the case of Chrome and IE, this is a part of the Windows Certificate Store, however for Firefox, this has to be added manually.
- Login to the SonicWall Management GUI.
- Navigate to Manage | Deep Packet Inspection | SSL Client Deployment.
- On the Client SSL page, check Enable SSL Client Inspection. Once DPI-SSL Client Inspection is enabled, SonicWall will seamlessly and transparently decrypt all SSL traffic passing through it. You will be able to apply Security Services on the clear-text portion of the SSL encrypted payload passing through it.
CAUTION: Before enabling SSL Client Inspection make sure you have imported the client DPI-SSL Certificate in all the computers otherwise the network may be impacted as all HTTPS websites will start showing a Certificate Error.

To avoid certificate trust errors and to enable the re-signing certificate authority to successfully re-sign certificates, browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.
IMPORTING THE CERTIFICATE ON THE COMPUTERS:
- On the firewall go to Manage | Deep Packet Inspection | SSL Client Deployment | Certificate page, click on the (download) link to download the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate.

NOTE: It is recommended to use 2048 bit DPI-SSL certificate instead of 1024 bit certificate . As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with sophisticated processing capabilities. The cybersecurity industry is moving to stronger 2048-bit encryption to help preserve internet security
- For Chrome/Edge/IE:
- Double click on the downloaded certificate
- Select Install Certificate
- Choose whether to install for the current user or the local machine
- Select "Place all certificates in the following store"
- Browse and select Trusted Root Certification Authorities tab
- Click Finish. The Certificate Import Wizard will guide you through importing the certificate.
- Firefox:
- Enter in the URL: about:preferences#privacy
- Scroll Down under Certificates and click View Certificates
- Click Import
- Select the downloaded certificate
- Select "Trust this CA to identify web sites" and "Trust this CA to identify email users"
- Click Ok
- Mac, Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.
How to Test:
Start a packet capture on the SonicWall. Make sure you have enabled Monitor intermediate SSL decrypted traffic under the Advanced tab of Packet Monitor. Go to https://mail.google.com or any other HTTPS website. Open the capture file. You will be able to see both HTTPS and HTTP traffic as below:

The screen shot below is an example of ESMTP (465) traffic being decrypted.

Related Articles
Categories
Was This Article Helpful?
YES
NO