- Products
- Network Security
Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
Security ServicesComprehensive security for your network security solution
Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
Capture ATPMulti-engine advanced threat detection
Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
Secure Mobile AccessRemote, best-in-class, secure access
Wireless Access PointsEasy to manage, fast and secure Wi-FI
SwitchesHigh-speed network switching for business connectivity
- Email Security
Email SecurityProtect against today’s advanced email threats
- Cloud Security
Cloud App SecurityVisibility and security for Cloud Apps
Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
Capture ClientStop advanced threats and rollback the damage caused by malware
Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
- Products
- Network Security
- Next Generation FirewallNext-generation firewall for SMB, Enterprise, and Government
- Security ServicesComprehensive security for your network security solution
- Network Security ManagerModern Security Management for today’s security landscape
- Advanced Threat Protection
- Capture ATPMulti-engine advanced threat detection
- Capture Security applianceAdvanced Threat Protection for modern threat landscape
- Access Security
- Cloud Edge Secure AccessDeploy Zero-Trust Security in minutes
- Secure Mobile AccessRemote, best-in-class, secure access
- Wireless Access PointsEasy to manage, fast and secure Wi-FI
- SwitchesHigh-speed network switching for business connectivity
- Email Security
- Email SecurityProtect against today’s advanced email threats
- Cloud Security
- Cloud App SecurityVisibility and security for Cloud Apps
- Cloud Firewall (NSv)Next-generation firewall capabilities in the cloud
- Endpoint Security
- Capture ClientStop advanced threats and rollback the damage caused by malware
- Content Filtering ClientControl access to unwanted and unsecure web content
- Product Widgets
- Product Menu Right Image
- Network Security
- Solutions
- Solutions Widgets
- Solutions Image Widgets
- Solutions Widgets
- Partners
- Partner Widgets
- Partners Image Widgets
- Partner Widgets
- Support
- Support Widget
- Support Image Widgets
- Support Widget
How to Exclude Gmail (mail.google.com) from DPI-SSL Client Inspection
03/26/2020 
387 People found this article helpful
49,806 Views
Description
Google uses a single wildcard certificate with a CN of *.google.com for all their services like YouTube.com, Google.com etc. The individual domain names are present in the Subject Alt Name (SAN) field of the certificate. Due to this, in previous deployments of DPI-SSL, it was not possible to include or exclude an individual domain from DPI-SSL inspection.
In SonicOS 6.2.5.x firmware, with its DPI-SSL enhancements, it is now possible to exclude or include domains using either the Server Name present in the Server Name Indication (SNI) of the Client Hello or by domain names present in the SAN extension of the Certificate.
This KB article describes how to exclude Gmail.com (mail.google.com) from DPI-SSL inspection without affecting content decryption and inspection of other Google services.
Resolution
Here's how to add Google Domains to the DPI-SSL Exclusions:
- Log in to the SonicWall GUI
- Go to the Manage tab
- Go to Deep Packet Inspection | SSL Client Deployment
- Navigate to the Common Name tab
- Click on Add
- Enter the following Common Names:
- googleuser.content.com
- accounts.youtube.com
- accounts.google.com
- mail.google.com
- www.gmail.com
- gstatic.com
- googleusercontent.com
- Set Action to Exclude
- Click on OK
Testing
From a host behind the SonicWall, go to gmail.com or mail.google.com. The site must show its certificate as issued by a public CA.
Related Articles
- Supported Public Cloud Servers/Instance Sizes on SonicWall NSv Series Models
- Why do I need a Support Services Reinstatement?
- How can I configure a VPN between a SonicWall firewall and Microsoft Azure?
Categories
- Firewalls > NSa Series > Client/Server DPI-SSL
- Firewalls > NSv Series > Client/Server DPI-SSL
- Firewalls > TZ Series > DPI-SSL
YES
NO