Supported Features

DPI-SSL supports:

• By the default, DPI-SSL supports only TLS 1.3 and TLS 1.2. If any customer wants to add TLS 1.0 and/or TLS 1.1, they can enable them on diag page. To support TLS 1.1 or TLS 1.0, customer can enable the necessary option and reboot firewall. Make sure that the firewall is rebooted to apply the changes.

  

• SHA-256 – All re-signed server certificates are signed with the SHA-256 hash algorithm.
• Perfect Forward Secrecy (PFS) – Perfect Forward Secrecy-based ciphers and other stronger ciphers are prioritized over weak ciphers in the advertised cipher suite. As a result, the client or server is not expected to negotiate a weak cipher unless the client or server does not support a strong cipher.

DPI-SSL does not support SSL 3.0 which is forbidden, no option to restore it.

DPI-SSL also supports application-level Bandwidth Management over SSL tunnels. App Rules HTTP bandwidth management policies also applies to content that is accessed over HTTPS when DPI-SSL is enabled for App Rules.

DPI-SSL for both client and server can be controlled by Access Rules.

 

• Support for Local CRL
• TLS Certificate Status Request Extension
• Support for Ciphers
• DPI-SSL and CFS HTTPS Content Filtering Work Independently
• Original Port Numbers Retained in Decrypted Packets