Problem accessing www.amazon.com when DPI-SSL is enabled
Larry
All-Knowing Sage ✭✭✭✭
Client reported problem accessing www.amazon.com this week.
Sure enough, the web browser shows an error:
Clicking for the certificate information, it shows:
Accessing the same website on a computer in a site without DPI-SSL shows the following certification information:
I am at a loss for determining a way to fix this.
Does anyone have any suggestions?
Thanks!
Category: Entry Level Firewalls
0
Answers
@Larry I had a similar case this week regarding Amazon myself. I'am still in the process to wrap my head around it.
It seems to be related to a specific certificate issued to the Amazon servers for *.peg.a2z.com. Whenever this certificate is served the DPI-SSL does not work. It seems that some form of Load Balancer causes different Certs for amazon.com (or amazon.de in my case).
As quick fix I excluded the following URLs from DPI-SSL until figuring out the cause.
It might be related to Cert lifetimes, but not sure about it.
--Michael@BWC
@Larry , check the DPI-SSL Client logs as it may just be missing CA certs in the SonicWall, I know in the past I had to import 4 extra CA certs for Amazon in to the SonicWall, these ones below
Amazon Root CA 1
Serial - 067F9457508C648C09CA652E71791830E72592
Starfield Services Root Certificate Authority - G2
Serial - 067F94574BB7075D3E48965C783224AA754FED
Amazon Root CA 2
Serial - 067F945755F187A91F8163F3E624620177FF38
Amazon Root CA 4
Serial - 067F94575A8862A9072E3239C37CEBA1274E18
@BWC - Michael, I like the "quick and easy" approach. So I started with two entries and checked.
No improvement, but no additional entries in the DPI-SSL log (thank you for reminding me to look there @preston ).
But what I did see was in the System log was this:
And 13.225.210.18 is an Amazon data center.
So now I'm questioning why accessing the www.amazon.com should cause the device to think there's something else nefarious going on...
(of course, the CSR who is attempting to work this case is over his head and - having already spent an hour getting nothing accomplished other than pulling Trace log and TSR - wants to spend more time poking around)
Will investigate those certs because the numbers above do not match what's in the device.
@preston I went here https://www.amazontrust.com/repository/ downloaded the CER files and imported them locally into MMC (Personal) to check the serial numbers. They match what is in the client's TZ600.
How did you obtain files with those serial numbers? And, should I use them?
not sure where I got them from it was a while back, change the extension back to Zip then extract, I imported them as CA certs
they may have been superceded with new ones, the only way to really check is to turn off DPI-SSL or test from a pc with it disabled and then go to Amazon and check all the CA certs in the chain and their serial numbers, that's what I did intitially as some pages on Amazon loaded but not all.
I would also check the Digicert ones also as recently I've had to include another CA for this
DigiCert TLS RSA SHA256 2020 CA1
Serial -0a3508d55c292b017df8ad65c00ff7e4
you can get this from Digicert.com
In most DPI-SSL Client deployments I would exclude shopping and banking sites from Inspection anyway
@preston I'm going to take that last bit of advice.
I've checked Shopping in the CFS exclusions for DPI-SSL to let the office admin do her holiday shopping.
I'm going to pick up this case with Support next week to identify exactly what's going on and what steps to take to let it work properly (again).