How to Exclude Google Drive from Client DPI-SSL in the new DPI-SSL Enhancement in SonicOS 6.2.5

Description

The Google Drive app like many other such applications uses certificate pinning and due to this when SonicWall Client DPI-SSL is enabled, Google Drive will fail to connect. 

In firmware prior to SonicOS 6.2.5.x, Google Drive cannot be excluded from Client DPI-SSL due to the following reasons:

  • Google Drive CN is *.google.com and excluding this from Client DPI-SSL will also exclude other Google services like Gmail, YouTube.
  • Google Drive IP addresses are shared by other Google services and therefore excluding it would exclude other such services. 

In SonicOS 6.2.5.x firmware, with its DPI-SSL enhancements, it is now possible to exclude or include domains using either the Server Name present in the Server Name Indication (SNI) of the Client Hello or by domain names present in the SAN extension of the Certificate.

This KB article describes how to exclude Google Drive from DPI-SSL inspection without affecting content decryption and inspection of other Google services. 

 

Resolution

  1. Login to the SonicWall management portal.
  2. Navigate to the Common Name tab.
  3. Click Add.
  4. Enter the following Common Names:
    • accounts.google.com
    • clients3.google.com
    • drive.google.com
    • www.googleapis.com
  5. Set Action to Exclude
  6. Click OK.

Image

 

Testing

 From a host behind the SonicWall, start the Google Drive app. It must be able to connect and sync. 

 

Related Articles

  • SonicOS 8.1.0 FAQ
    Read More
  • SonicWall GEN8 TZs and GEN8 NSas Settings Migration
    Read More
  • Getting started with SonicWall firewalls
    Read More

Categories

Firewalls
SonicWall NSA Series
Firewalls
SonicWall SuperMassive 9000 Series
Firewalls
SonicWall SuperMassive E10000 Series
Firewalls
TZ Series
not finding your answers?
Ask the Community