Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Just how does exclusion/inclusion work in client dpi-ssl?

I've done much searching, read the (vague) documentation, still haven't found how exclusion/inclusion works.

My specific use case is that I want to exclude everything on my LAN, so I set exclude to 'LAN subnets', which does resolve to what I want to exclude. But, I want to include some specific IP addrs in that subnet, so I created a group with those specific addrs and set include to that.

Issue, really not clear the specific IPs are being included. So, is the logic that exclude is the 'default' set, and include overrides that? Or something else? If something else, how do I do what I want to do?

Thanks, Bill

Category: Mid Range Firewalls
Reply

Best Answer

  • CORRECT ANSWER
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    Answer ✓

    As you said, there is no include / exclude overlap logic. All that can be said is be very specific with your groups. I must question why you'd want to exclude 'LAN Subnets'...

Answers

  • wjewje Newbie ✭

    Ok, given no responses and some random testing, it appears that exclude/include are really separate lists with no logical connection. For example, if I do the above, exclude everything then include some 'overrides', nope, the exclusion doesn't allow inclusion overrides. But, if I set exclusion to the default 'None', then I can specify specific inclusions that then seem to exclude everything else (if this makes sense, the settings sure don't). Can anyone confirm? In summary, you can set exclusions OR inclusions, there is no override logic. Lame.

  • wjewje Newbie ✭

    The basic issue is all these new IoT devices that try to do HTTPS connections and fail because they have baked-in certs they expect to see, and they have no way to add new trusted certs. My working solution has been to assign all devices I want to scan to an include list, select exclude none, include that list. Really a silly implementation by Sonic. Note that I'm not using this in a business, I'm 'home user' that happens to worry about security. I'd like to protect everything, but the DPI stuff is detected as a 'man-in-the-middle' attack, which of course it really is.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Whatever use-case you are in, my suggestion would be to VLAN out your IoT devices and exclude the VLAN from DPI-SSL.

  • wjewje Newbie ✭

    Hmm, interesting. Good idea, I'll give it a try.

Sign In or Register to comment.