TZ 670 DPI-SSL
Rinconmike
Enthusiast ✭✭
I am configuring my TZ 670 and turned on DPI-SSL Client.
Under General Tab, I turned on
Audit new default exclusion domain names prior to being added for exclusion
If I did not turn this on, would the system automatically add connection failures to the Common Name Exclusions?
Also, I am testing it with one workstation for now. I have a lot of microsoft.com failures. Is it typical to just add microsoft.com to the exclusion oppose to the various items?
When adding a site, do you put the "." in from or not? Which is correct?
.microsoft.com or microsoft.com
The built in ones do it both ways. Some with the "." others without?
Last, when excluding there is an option to:
Always authenticate server before applying exclusion policy
It is disabled by default. I saw in a KB article to enable this. Which should I do?
Answers
Hello @Rinconmike,
1) Audit new default exclusion domain names prior to being added for exclusion: This option is whenever SonicWall decides to add more default DPI SSL exclusions. This does not get auto-populated with connection failures based on your environment. You can see that there are 39 default exclusions in place, if more are added from our end, you get a chance to audit them before it is added to the common name default exclusions.
2) When creating exclusions .microsoft.com stands for that domain and any other sub-domains, it is basically for wildcard domain names. So, if it is okay to add .microsoft.com to exclusion if needed.
3)Always authenticate server before applying exclusion policy: Although we are excluding certain domains, it is possible that you still want the firewall to authenticate the source of the connection, then this can be turned ON. I would suggest to leave it turned ON.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
Hi @RINCONMIKE,
Thank you for visiting SonicWall Community.
Please find answers to your questions inline.
Audit new default exclusion domain names prior to being added for exclusion
If I did not turn this on, would the system automatically add connection failures to the Common Name Exclusions?
Answer: No. This option has correlation only with built-in exclusion list.
Also, I am testing it with one workstation for now. I have a lot of microsoft.com failures. Is it typical to just add microsoft.com to the exclusion oppose to the various items?
Answer: Yes, right. You can add .microsoft.com to the exclusion list.
When adding a site, do you put the "." in from or not? Which is correct?
Answer: .microsoft.com
Always authenticate server before applying exclusion policy
It is disabled by default. I saw in a KB article to enable this. Which should I do?
Answer: Please enable this checkbox. The exclusion domain's certificate is validated and then the exclusion is applied to overcome vulnerability insecurities.
🙂
Regards
Saravanan V
Technical Support Advisor - Premier Services
Professional Services
thanks for the replies. Some more questions.
Is there a list I can reference of more sites to exclude other than the default.
Any reason not to exclude .microsoft.com or .google.com?
Any reason not to exclude most that pop up in the connection failures list as I am testing each user machine?
On using the "." or not in front of the name, why do some of the default common name exclusions have the "." and other do not?
I see two different responses on
Always authenticate server before applying exclusion policy
Is it better to leave this disabled which is default or to enable it? When you go to the common name failures and hit exclude, there is no option to enable it but you can go and edit to enable it. There is also an option to change the global setting to enable it.
What are the downsides of enabling it?
This article shows enabling it, but this is for the CFS tab under DPI-SSL Client. I have not found other articles on this.
I also found the below that states: