Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

TZ 670 DPI-SSL

I am configuring my TZ 670 and turned on DPI-SSL Client.

Under General Tab, I turned on

Audit new default exclusion domain names prior to being added for exclusion

If I did not turn this on, would the system automatically add connection failures to the Common Name Exclusions?

Also, I am testing it with one workstation for now. I have a lot of microsoft.com failures. Is it typical to just add microsoft.com to the exclusion oppose to the various items?

When adding a site, do you put the "." in from or not? Which is correct?

.microsoft.com or microsoft.com

The built in ones do it both ways. Some with the "." others without?

Last, when excluding there is an option to:

Always authenticate server before applying exclusion policy

It is disabled by default. I saw in a KB article to enable this. Which should I do?

Category: Entry Level Firewalls
Reply

Answers

  • shiprasahu93shiprasahu93 Moderator
    edited June 4

    Hello @Rinconmike,

    1) Audit new default exclusion domain names prior to being added for exclusion: This option is whenever SonicWall decides to add more default DPI SSL exclusions. This does not get auto-populated with connection failures based on your environment. You can see that there are 39 default exclusions in place, if more are added from our end, you get a chance to audit them before it is added to the common name default exclusions.

    2) When creating exclusions .microsoft.com stands for that domain and any other sub-domains, it is basically for wildcard domain names. So, if it is okay to add .microsoft.com to exclusion if needed.

    3)Always authenticate server before applying exclusion policy: Although we are excluding certain domains, it is possible that you still want the firewall to authenticate the source of the connection, then this can be turned ON. I would suggest to leave it turned ON.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • SaravananSaravanan Moderator

    Hi @RINCONMIKE,

    Thank you for visiting SonicWall Community.

    Please find answers to your questions inline.

    Audit new default exclusion domain names prior to being added for exclusion

    If I did not turn this on, would the system automatically add connection failures to the Common Name Exclusions?

    Answer: No. This option has correlation only with built-in exclusion list.

    Also, I am testing it with one workstation for now. I have a lot of microsoft.com failures. Is it typical to just add microsoft.com to the exclusion oppose to the various items?

    Answer: Yes, right. You can add .microsoft.com to the exclusion list.

    When adding a site, do you put the "." in from or not? Which is correct?

    Answer: .microsoft.com

    Always authenticate server before applying exclusion policy

    It is disabled by default. I saw in a KB article to enable this. Which should I do?

    Answer: Please enable this checkbox. The exclusion domain's certificate is validated and then the exclusion is applied to overcome vulnerability insecurities.

    🙂

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • RinconmikeRinconmike Newbie ✭

    thanks for the replies. Some more questions.

    Is there a list I can reference of more sites to exclude other than the default.

    Any reason not to exclude .microsoft.com or .google.com?

    Any reason not to exclude most that pop up in the connection failures list as I am testing each user machine?

    On using the "." or not in front of the name, why do some of the default common name exclusions have the "." and other do not?

    I see two different responses on

    Always authenticate server before applying exclusion policy

    Is it better to leave this disabled which is default or to enable it? When you go to the common name failures and hit exclude, there is no option to enable it but you can go and edit to enable it. There is also an option to change the global setting to enable it.

    What are the downsides of enabling it?

    This article shows enabling it, but this is for the CFS tab under DPI-SSL Client. I have not found other articles on this.

    I also found the below that states:

    • Exclude: When this action is selected, the Common Names added are excluded from Client DPI-SSL inspection. When choosing this action, the administrator has the option to check the box, Always authenticate server before applying exclusion policy. Enabling this option can prevent an unsuspecting client from phishing or URL redirect related attacks. By default this option is unchecked.



Sign In or Register to comment.