• SonicOS 7.0
• About DPI-SSL
  • Using DPI-SSL
    • Supported Features
      • Support for Local CRL
      • TLS Certificate Status Request Extension
      • Support for Ciphers
      • DPI-SSL and CFS HTTPS Content Filtering Work Independently
      • Original Port Numbers Retained in Decrypted Packets
    • Security Services
  • Deployment Scenarios
  • Proxy Deployment
  • Customizing DPI-SSL
  • Connections per Appliance Model
• DPI-SSL/TLS Client
  • Deploying the DPI-SSL/TLS Client
    • Configuring General DPI-SSL/TLS Client Settings
      • Enabling DPI-SSL Client on a Zone
    • Selecting the Re-Signing Certificate Authority
      • Adding Trust to the Browser
    • Configuring Exclusions and Inclusions
      • Configuring Exclusions and Inclusions by Objects and Groups
      • Configuring Exclusions and Inclusions by Common Name
        • Viewing Status of DPI-SSL Default Exclusions
        • Rejecting or Accepting Default Common Names
        • Adding Custom Common Names
        • Editing Custom Common Names
        • Deleting Custom Common Names
        • Showing Connection Failures
        • Updating Default Exclusions Manually
      • Configuring Exclusions and Inclusions by CFS Category
  • Applying DPI-SSL/TLS Client
    • Performing Content Filtering using DPI-SSL
    • Filtering Content by App Rules using DPI-SSL
      • Enabling App Control Service on a Zone
  • Viewing DPI-SSL Status
• DPI-SSL/TLS Server
  • Deploying the DPI-SSL/TLS Server
    • Configuring General DPI-SSL/TLS Server Settings
      • Enabling DPI-SSL Server on a Zone
    • Configuring Exclusions and Inclusions
    • Configuring Server-to-Certificate Pairings
• SonicWall Support
  • About This Document

Configuring Exclusions and Inclusions

By default, the DPI-SSL applies to all traffic on the appliance when it is enabled. You can configure inclusion/exclusion lists to customize to which traffic DPI-SSL inspection applies. The Inclusion/Exclusion lists provide the ability to specify certain objects or groups. In deployments that process a large amount of traffic, to reduce the CPU impact of DPI-SSL and to prevent the appliance from reaching the maximum number of concurrent DPI-SSL inspected connections, it can be useful to exclude trusted sources.

To customize DPI-SSL server inspection

1. Navigate to the POLICY | DPI-SSL > Server SSL page.

2. Scroll to the Inclusion/Exclusion section.

   

3. From Address Object/Group Exclude, select an address object or group to exclude from DPI-SSL inspection. By default, Exclude is set to None.

4. From Address Object/Group Include, select an address object or group to include in DPI-SSL inspection. By default, Include is set to All.

   Include can be used to fine tune the specified exclusion list. For example, by selecting the Remote-office-California address object from Exclude and the Remote-office-Oakland address object from Include.

5. From User Object/Group Exclude, select an address object or group to exclude from DPI-SSL inspection. By default, Exclude is set to None.

6. From User Object/Group Include, select an address object or group to include in DPI-SSL inspection. By default, Include is set to All.

7. Click Accept.