How to Exclude Google Drive from Client DPI-SSL in the new DPI-SSL Enhancement in SonicOS 6.2.5
03/26/2020 364 10746
The Google Drive app like many other such applications uses certificate pinning and due to this when SonicWall Client DPI-SSL is enabled, Google Drive will fail to connect.
In firmware prior to SonicOS 6.2.5.x, Google Drive cannot be excluded from Client DPI-SSL due to the following reasons:
- Google Drive CN is *.google.com and excluding this from Client DPI-SSL will also exclude other Google services like Gmail, YouTube.
- Google Drive IP addresses are shared by other Google services and therefore excluding it would exclude other such services.
In SonicOS 6.2.5.x firmware, with its DPI-SSL enhancements, it is now possible to exclude or include domains using either the Server Name present in the Server Name Indication (SNI) of the Client Hello or by domain names present in the SAN extension of the Certificate.
This KB article describes how to exclude Google Drive from DPI-SSL inspection without affecting content decryption and inspection of other Google services.
- Login to the SonicWall management portal.
- Navigate to the Common Name tab.
- Click Add.
- Enter the following Common Names:
- Set Action to Exclude
- Click OK.
From a host behind the SonicWall, start the Google Drive app. It must be able to connect and sync.