-
Products
-
SonicPlatform
SonicPlatform is the cybersecurity platform purpose-built for MSPs, making managing complex security environments among multiple tenants easy and streamlined.
Discover More
-
-
Solutions
-
Federal
Protect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn MoreFederalProtect Federal Agencies and Networks with scalable, purpose-built cybersecurity solutions
Learn More - Industries
- Use Cases
-
-
Partners
-
Partner Portal
Access to deal registration, MDF, sales and marketing tools, training and more
Learn MorePartner PortalAccess to deal registration, MDF, sales and marketing tools, training and more
Learn More - SonicWall Partners
- Partner Resources
-
-
Support
-
Support Portal
Find answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn MoreSupport PortalFind answers to your questions by searching across our knowledge base, community, technical documentation and video tutorials
Learn More - Support
- Resources
- Capture Labs
-
- Company
- Contact Us
How to Exclude Gmail (mail.google.com) from DPI-SSL Client Inspection
03/26/2020 
400 People found this article helpful
490,421 Views
Description
Google uses a single wildcard certificate with a CN of *.google.com for all their services like YouTube.com, Google.com etc. The individual domain names are present in the Subject Alt Name (SAN) field of the certificate. Due to this, in previous deployments of DPI-SSL, it was not possible to include or exclude an individual domain from DPI-SSL inspection.
In SonicOS 6.2.5.x firmware, with its DPI-SSL enhancements, it is now possible to exclude or include domains using either the Server Name present in the Server Name Indication (SNI) of the Client Hello or by domain names present in the SAN extension of the Certificate.
This KB article describes how to exclude Gmail.com (mail.google.com) from DPI-SSL inspection without affecting content decryption and inspection of other Google services.
Resolution
Here's how to add Google Domains to the DPI-SSL Exclusions:
- Log in to the SonicWall GUI
- Go to the Manage tab
- Go to Deep Packet Inspection | SSL Client Deployment
- Navigate to the Common Name tab
- Click on Add
- Enter the following Common Names:
- googleuser.content.com
- accounts.youtube.com
- accounts.google.com
- mail.google.com
- www.gmail.com
- gstatic.com
- googleusercontent.com
-
- Set Action to Exclude
- Click on OK
Testing
From a host behind the SonicWall, go to gmail.com or mail.google.com. The site must show its certificate as issued by a public CA.
Related Articles
- How to block like/comment/post/share features of Facebook using App Rules
- How to block various YouTube features using App Rules
- How can I enable or disable SonicWall firewall management access?
Categories
- Firewalls > NSa Series > Client/Server DPI-SSL
- Firewalls > NSv Series > Client/Server DPI-SSL
- Firewalls > TZ Series > DPI-SSL
YES
NO