Not all domains are blocked properly

Michal

Hi Community

We use SonicWall NSa 2650 and had configured Forbidden List contains blocked domains in URL List Objects.

Then we have configured CFS Action Objects and connect them both in CFS Profile Objects.

For some domains this works properly and we can see HTML page configured in CFS Action Objects.

But for some domains we can see only HTML error message. I have noticed two different errors - one in Mozilla FF (DNS_PROBE_FINISHED_NXDOMAIN, PR_CONNECT_RESET_ERROR) and the second one in Chrome (ERR_CONNECTION_RESET) - this happened for example for open.fm domain.

Could you please advice me, what I'm doing wrong and why not every domain listed in Forbidden List has the same action?

Best regards, Michal

shiprasahu93

Hello @Michal,

The SonicWall blocked page will show up for all HTTP websites. For seeing the blocked page on HTTPS websites, client DPI SSL needs to be enabled. I see that open.fm is a HTTPS website, that's why without DPI SSL silent block takes place.

Also, if you are seeing DNS related errors, most probably it is getting blocked by App control which checks for DNS signatures.

Thanks!

Michal

https://community.sonicwall.com/technology-and-support/discussion/comment/5013#Comment_5013

Hello @shiprasahu93

Thank you very much for prompt answer :)

As I see i have no license for DPI SSL, thus i cannot use your suggestion.

Best regards, Michal

shiprasahu93

Hello @Michal,

You can turn ON this license from mysonicwall account. It is available for free on all Gen 6 appliances. But, it is not just a matter of enabling a checkbox and comes with its own set of prerequisites. Kindly go through the KB articles below for more information on the same.

https://www.sonicwall.com/support/knowledge-base/how-can-i-configure-client-dpi-ssl/170505885674291/

https://www.sonicwall.com/support/knowledge-base/where-can-i-learn-more-about-dpi-ssl/170503997881184/

Thank you!

Michal

Hello SHIPRASAHU93

Thank for all of your suggestion. I have read topics about DPI-SSL and as i see we must decrypt packets from VPN Users to Fierewall to verify content and firewall rules.

My doubt is firewall' performance becouse this kind of operations (crypt/decryp) always use lot of performance.

I see also checkbox: Allow SSL without decryption (bypass) when connection limit exceeded

Thus i imagine that we need to limit number of connections to keep good firewall performance, do I have righ?

Thank you in advance for help

Best regards, Michal

Saravanan

@MICHAL - Yes, you are right. Each appliance model will have its own connection limit for DPISSL. When connections go beyond this limit and if the checkbox "Allow SSL without decryption (bypass) when connection limit exceeded" is enabled, the DPISSL doesn't get apply to further SSL connections via the SonicWall. If this checkbox is disabled, then the further SSL connections are dropped by the SonicWall.