Troubleshoot DPI-SSL connections
Arkwright
Community Legend ✭✭✭✭✭
There are lots of ways to enable or disable DPI-SSL for any given connection: zone-level, object include/exclude in DPI-SSL settings and access rule.
How can I work out if any given connection is inspected? I am trying to troubleshoot a scenario where a connection should not be inspected but screenshots from customer show the firewall's DPI cert.
Category: High End Firewalls
0
Answers
"How can I work out if any given connection is inspected?"
IIRC the UI doesnt provide any indicator of DPI SSL in the connection monitor or elsewhere unfortunately, so it really becomes a manual process.
Work your way from the Zone setting, to access rules, to exclusions. Temporarily disable DPISSL at each step and verify the functionality changes with the end user.
Thats probably as good as its gonna get.
I typically go to the DPI-SSL page, then go to the tab "Common Name", and then hit "show connection failures". From the list, I can then exclude specific URLs from DPI.
Unfortunately on this system, with a user count in the hundreds, there is exactly one connection failure. This is unbelievable given that at sites with 5 users I might see tens of failures listed.
The zone where this happened does not have DPI-SSL enabled, so in theory this is impossible, right? AFAIK if neither the source or destination Zone has "DPI SSL Client" enabled, then it should never be re-encrypted.
The customer has sent screenshots from a phone showing the firewall's inspection cert being used for services on the internet. I have access to only the firewall and no other network infrastructure so I cannot prove that a BYOD client might have accidentally ended up in a zone with DPI-SSL due to some network misconfiguration. Hence my question about how to see from the firewall itself what it's actually doing with any given connection.
"I have access to only the firewall and no other network infrastructure so I cannot prove that a BYOD client might have accidentally ended up in a zone with DPI-SSL due to some network misconfiguration"
Tough situation. I would request a screenshot from the device showing its IP address(es) and what SSID its connected to when the issue occurred. At least then you could see what zone the device is in.
I think I might have an answer but would be grateful if my peers could try to validate this one for me….
Connection Monitor. Change destination port to 80, Flow Type to HTTPS. Every firewall I've checked, this looks like DPI-SSL. Firewalls with DPI-SSL disabled have not yet ever shown me any matching connections.