Back to overview

Network Security

Threats Don't Follow Port Rules. SonicWall's Inspection Engine Does.

by Tiju Cherian

How SonicWall RFDPI and DPI-SSL deliver full-stream, all-port, TLS-aware inspection, and why non-standard port visibility is now the defining line between security and blind trust.

For decades, network firewalls operated on a foundational assumption: traffic on well-known ports is trusted; everything else is blocked. Port 80 for HTTP. Port 443 for HTTPS. Port 25 for SMTP. This model made sense when applications were monolithic, protocols were predictable, and attackers played by the same rules as defenders.

That era is over. Modern threats are port-agnostic by design. Command-and-control frameworks like Cobalt Strike run implants on port 4444, 8443, or a randomly chosen high-numbered port. Ransomware operators exfiltrate data over TLS on port 8080. Remote access tools tunnel through whatever port the perimeter allows. And with over 90% of all internet traffic now encrypted, a firewall that cannot see inside TLS sessions is effectively inspecting a fraction of the traffic it claims to secure.

SonicWall addresses both challenges simultaneously with two complementary and deeply integrated inspection engines: Reassembly-Free Deep Packet Inspection (RFDPI) for all-port, all-protocol content inspection, and Deep Packet Inspection of SSL/TLS (DPI-SSL) for transparent decryption, scanning, and re-encryption of encrypted sessions on any port they appear.

The Problem: Why Port-Based Inspection Creates Blind Spots

Traditional stateful packet inspection (SPI) firewalls match traffic to a list of trusted port-to-protocol mappings. If port 443 is allowed, everything arriving on 443 is permitted, regardless of its actual content. Attackers discovered this constraint a long time ago:

ENCRYPTED THREATS BY THE NUMBERS
  • Encrypted threats rose 117% in 2023, the highest volume ever recorded by SonicWall
  • Over 90% of internet traffic is now TLS-encrypted, creating a vast inspection blind spot for firewalls without DPI-SSL
  • Attackers routinely run C2 infrastructure on ports 4444, 4445, 8443, 8080, 9090, and dynamically rotated high-numbered ports
  • Malware families like QakBot, Cobalt Strike, and Emotet use port hopping and encrypted tunnels as standard evasion techniques
  • Remote Access Tools (RATs) such as AnyDesk, TeamViewer, and ngrok can traverse firewalls by mirroring HTTPS behavior on port 443 or any other open port

 

A port-based firewall permits or blocks at Layer 4. But threats live at Layers 5 through 7, the application layer, where payloads, signatures, command strings, and data are exchanged. Without content inspection across all ports, you're relying on attackers to use the ports you're watching.

Engine One: Reassembly-Free Deep Packet Inspection (RFDPI)

SonicWall's RFDPI engine is the foundational inspection technology in every SonicWall next-generation firewall. Its defining characteristic is that it performs stream-based, bi-directional inspection across all ports and all protocols simultaneously without buffering, proxying, or waiting for packet reassembly.

How RFDPI Differs from Traditional DPI

Dimension
Traditional Proxy-Based DPI
SonicWall RFDPI
ApproachTerminates connection, buffers full object, scans, forwardsStreams through, no buffering, no proxy, no reassembly
LatencyHigh, must wait for the complete objectUltra-low, single-pass scanning in real time
Port coverageTypically inspects defined port/protocol pairs onlyAll ports, all protocols, bidirectional
Evasion resistanceVulnerable to payload fragmentation, evasion across packetsScans byte-by-byte; normalizes fragmented/obfuscated streams
TLS/encrypted trafficRequires a separate proxy for HTTPSIntegrated with DPI-SSL for any-port TLS decryption
Throughput impactSignificant; proxying adds loadMinimal; designed for multi-Gbps line rate

 

What RFDPI Inspects on Every Packet

Across every byte of every packet, on every port, in both directions, RFDPI simultaneously matches against three unified signature databases in a single pass:

Intrusion Prevention (IPS)Gateway Anti-Malware (GAM)Application Intelligence
  • Protocol anomaly detection
  • Exploit signatures at Layers 4–7
  • Zero-day behavior patterns
  • DoS / DDoS pattern matching
  • Port-agnostic rule matching
  • Malware payload signatures
  • Encrypted malware download detection
  • C2 callback pattern matching
  • Ransomware beaconing detection
  • Data exfiltration patterns
  • Identify app by signature, not port
  • Allow / block/ throttle per-app
  • Shadow IT detection
  • User-aware policy enforcement
  • Bandwidth management per app

 

Engine Two: Deep Packet Inspection of SSL/TLS (DPI-SSL)

RFDPI sees everything in plaintext streams. But encrypted traffic requires an additional step: decryption. DPI-SSL is SonicWall's transparent TLS proxy that intercepts, decrypts, inspects via RFDPI, then re-encrypts and forwards traffic on any port where TLS is detected, not just port 443.

Two Modes of Operation

Client DPI-SSL (Outbound)
Server DPI-SSL (Inbound)

Purpose: Inspect encrypted traffic leaving the network

  • Typical flow: Internal user to External server
  • Decrypts HTTPS, IMAPS, SMTPS, FTPS, LDAPS and any TLS on any port
  • Firewall re-signs certificate using its own CA; requires CA cert deployed to endpoints
  • Enables CFS category inspection inside HTTPS
  • Catches encrypted malware downloads, C2 callbacks, data exfil

Purpose: Inspect encrypted traffic entering the network

  • Typical flow: External client to Internal server
  • Firewall holds the server private key or acts as a reverse proxy
  • Inspects inbound encrypted payloads before they reach your DMZ/servers
  • Detects exploits hidden in inbound HTTPS sessions
  • Critical for protecting published web apps and APIs

 

KEY CAPABILITY: DPI-SSL INSPECTS TLS ON ANY PORT

SonicWall DPI-SSL identifies TLS/SSL sessions by protocol behavior, not port number. A TLS handshake on port 8443, 4443, 9001, or any other port is identified and decrypted identically to port 443. This is the critical capability that prevents attackers from tunnelling threats over non-standard encrypted ports to bypass inspection. SonicWall Gen7+ further extends this with native TLS 1.3 inspection, the latest and fastest encryption standard, fully transparent to users and applications.

 

TLS 1.3 and Forward Secrecy — Solved

TLS 1.3 introduced mandatory forward secrecy (ephemeral Diffie-Hellman key exchange), which means passive decryption with a stored private key is no longer possible. SonicWall solves this through its active transparent proxy architecture: the firewall becomes an active participant in the TLS handshake, negotiating a fresh session with both client and server, inspecting in the middle, then passing clean traffic forward. This works on TLS 1.3 sessions over any port, including non-standard ones.

 

 

Use Cases: Where Non-Standard Port Inspection Is Mission-Critical

The following scenarios represent the highest risk situations where organizations without all-port, all-TLS inspection are operating blind.

Use Case 1 — C2 Framework Detection (Cobalt Strike, Metasploit, Custom Implants)

Attack profile: Red teams and threat actors using Cobalt Strike, Metasploit, or custom C2 frameworks configure their listeners on non-standard ports (4444, 8888, 50050, or randomized high-numbered ports) to evade port-based firewall rules. Communications are TLS-encrypted to further blend into normal traffic.

Scenario: A financial services firm allows outbound HTTPS (port 443) and RDP gateway access (port 3389). An attacker's implant on a compromised endpoint establishes a TLS-wrapped C2 beacon to 185.x.x.x:8443 every 60 seconds. A port-based firewall allows it — port 8443 is often permitted for development environments. 

SonicWall RFDPI + DPI-SSL decrypts the session, identifies the Cobalt Strike malleable C2 beacon pattern in the payload, and blocks the connection with a GAM or IPS signature match, regardless of port.

Why SonicWall's approach wins:

  • DPI-SSL decrypts the TLS session on port 8443, same as it would on 443
  • RFDPI matches the Cobalt Strike jitter/sleep pattern in the decrypted payload
  • Botnet/CnC filter cross-references destination IP/domain against SonicWall's threat intelligence feeds

Use Case 2 — Ransomware Data Exfiltration Over Non-Standard TLS

Attack profile: Modern ransomware groups (LockBit, BlackCat, Clop) operate double-extortion models; they exfiltrate data before encrypting it and threaten to publish unless paid. Exfiltration often occurs over TLS sessions on ports chosen to blend with allowed application traffic (8080, 8443, 9443).

Scenario: A manufacturing company's backup server is compromised. The attacker stages 80 GB of CAD files and trade secrets, then begins exfiltrating over an encrypted connection to a cloud storage endpoint on port 8080 (HTTP alternate). The firewall allows port 8080 for a legacy ERP system. Without DPI, the exfiltration is invisible. 

With SonicWall DPI-SSL, the session is decrypted and inspected; App Control identifies the data transfer as non-ERP application behavior; Content Inspection flags large outbound file transfers to an unknown external host; the connection is blocked and logged.

  • DPI-SSL exposes the content of the 'encrypted' exfiltration channel
  • App Rules fire on content type/data volume patterns
  • DLP policies can block specific file types (CAD, financial, PII) from leaving on any port

Use Case 3 — Shadow IT and Unsanctioned Application Control

Business profile: Employees install and use applications that IT has not approved such as personal cloud storage (Dropbox, Google Drive), messaging platforms (Discord, Telegram), or gaming clients. Many of these applications are port-flexible, automatically selecting whichever port is available (443, 80, 5222, 1935, and others).

Scenario: A healthcare organization prohibits personal cloud storage for HIPAA compliance. An employee installs Dropbox, which syncs over port 443 and occasionally falls back to port 17500. A port-based firewall cannot distinguish Dropbox from legitimate HTTPS. 

SonicWall's Application Intelligence identifies Dropbox by its application signature (not port), blocks the sync, and logs the violation for HR and compliance review, regardless of which port the client attempts.

  • Application identification is signature-based, port is irrelevant
  • Thousands of application signatures in SonicWall's database include common shadow IT tools
  • App Rules can block, throttle, or alert on any identified application

Use Case 4 — Remote Access Tool (RAT) and Persistence Detection

Attack profile: Both attackers and insiders use remote access tools (AnyDesk, TeamViewer, ngrok, Tailscale) to establish persistent footholds or exfiltrate data. These tools are designed to traverse firewalls by mimicking HTTPS traffic on port 443 or using relay infrastructure on arbitrary ports.

Scenario: A disgruntled insider installs ngrok on their workstation, creating an encrypted tunnel to ngrok's cloud relay on port 443. This gives an external accomplice a reverse shell. Port-based controls see only 'HTTPS to ngrok.io'. 

SonicWall DPI-SSL decrypts the session; Application Intelligence identifies ngrok tunnel traffic by signature; the Security Services block the connection and trigger an alert.

  • DPI-SSL decrypts the tunnel traffic, exposing the underlying protocol
  • Application signatures cover major RATs and tunneling tools
  • GeoIP filtering can block relay infrastructure in unexpected regions

 

Use Case 5 — Compliance: PCI-DSS, HIPAA, and CMMC Encrypted Traffic Visibility

Regulatory profile: PCI-DSS 4.0, HIPAA Security Rule, and CMMC Level 2/3 all require organizations to maintain visibility into encrypted traffic carrying sensitive data. Auditors increasingly ask for evidence that TLS inspection is active and that sensitive data is not leaving the network unmonitored on any port.

 

RegulationRequirement Addressed by DPI-SSL / RFDPISonicWall Capability
PCI-DSS 4.0Req 1.3: Control traffic flows to/from cardholder data environment; Req 6.4: Inspect encrypted traffic for vulnerabilitiesDPI-SSL + IPS on all ports protects the CDE perimeter
HIPAA Security Rule§164.312(e): Protect ePHI in transit; demonstrate encryption visibility for auditDPI-SSL logs all inspected sessions; App Control blocks unapproved data egress
CMMC Level 2/3AC.2.006: Limit network access; SC.3.187: Prevent unauthorized data exfiltrationRFDPI all-port inspection + DLP rules on content type
GDPR / DPDPAArticle 32: Appropriate technical measures for personal data in transitTLS inspection with logging supports Article 32 technical controls

Use Case 6 — OT/IoT Devices Calling Home on Non-Standard Ports

Environment profile: Manufacturing, utilities, and smart-building environments operate OT devices (PLCs, HMIs, smart sensors) and IoT endpoints that communicate on non-standard industrial protocols and ports. Compromised OT devices are increasingly used as pivot points or contact attacker infrastructure on unexpectedly high-numbered ports.

Scenario: A smart HVAC controller in a hospital is compromised via a default credential attack. It begins beaconing to an external IP on TCP port 9001, a Tor-adjacent port commonly used for covert channels. A perimeter firewall allowing 'all outbound on high ports' would pass this silently. 

SonicWall RFDPI inspects the stream, identifies the Tor protocol handshake pattern, triggers an IPS alert, and blocks the connection. The hospital's OT team is notified within seconds.

  • IPS signatures include Tor, I2P, and other anonymization network handshakes on any port
  • Zone-based policies can restrict OT segments from reaching internet-routed IPs entirely
  • App Control can identify industrial protocols (Modbus, DNP3) and enforce appropriate policies

Use Case 7 — Encrypted Lateral Movement and Credential Harvesting

Attack profile: post-compromise, attackers move laterally across internal segments using tools like Mimikatz, BloodHound, and PsExec. To evade EDR tools, sophisticated actors wrap lateral movement in TLS over ports that appear benign in internal traffic (8080 between workstations, 5985 for WinRM, or custom ports for encrypted pivots).

  • East-west DPI-SSL inspection (between internal zones) decrypts intra-segment TLS to expose lateral movement payloads
  • RFDPI matches credential harvesting signatures in decrypted internal traffic
  • Zone segmentation + DPI policies enforce zero-trust between OT, server, and user segments on all ports
PERFORMANCE CONSIDERATION

DPI-SSL inspection adds processing overhead proportional to session count and payload size. 

SonicWall Gen7+ firewalls publish separate DPI-SSL throughput ratings in their datasheets; always size the appliance to the DPI-SSL spec, not the stateful throughput spec, when encrypted inspection is required. The NSa and NSsp series are particularly optimized for high-volume DPI-SSL environments. Exclusions can be created for trusted high-volume sources (e.g., Windows Update servers, internal certificate authorities) to optimize performance without creating security gaps.

 

 

SonicWall Resources & Documentation

Resource
Link
Blog: DPI-SSL — Encryption Has Met Its Match (2024)blog.sonicwall.com/en-us/2024/04/sonicwall-dpi-ssl-encryption-has-met-its-match/
Tech Brief: Advantages of RFDPIwww.sonicwall.com/resources/brief/tech-brief-advantages-of-reassembly-free-deep-packet-inspection/
DPI-SSL Decryption Datasheet (PDF)www.sonicwall.com/medialibrary/en/datasheet/datasheet-decryption-and-inspection-of-encrypted-traffic.pdf

 

The question is no longer whether your firewall inspects port 443. The question is whether it inspects every port, every protocol, and every encrypted session, simultaneously, at line rate, without introducing latency your users will notice.

SonicWall RFDPI and DPI-SSL are not bolt-on features; they are the inspection architecture every SonicWall NGFW is built on. When attackers move to port 8443, 4444, or a randomized high-numbered port, SonicWall moves with them.

To evaluate DPI-SSL throughput requirements for your deployment, consult your SonicWall account team or visit sonicwall.com

 

 

 

Share This Article

An Article By

Tiju Cherian

Director, Product Management
Tiju Cherian is the Director of Product Management at SonicWall. He has over 19 years of experience in cybersecurity product management, network security technology and customer experience. He has led high-performing teams and driven diverse functional groups and matrixed organizations to a common goal. Tiju joined SonicWall Product Team to enhance the Network and Access Security portfolio, ensuring its success by expanding offerings to address niche and emerging use cases. He aims to provide a comprehensive cybersecurity platform, flexible consumption options, and tailored suites and bundles for SonicWall customers and partners.

Related Articles

  • SonicWall DPI-SSL: Encryption Has Met Its Match
    Read More
  • Securing the Future: How SonicWall Firewalls Protect IoT Networks
    Read More