Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Troubleshoot DPI-SSL connections

ArkwrightArkwright Community Legend ✭✭✭✭✭

There are lots of ways to enable or disable DPI-SSL for any given connection: zone-level, object include/exclude in DPI-SSL settings and access rule.

How can I work out if any given connection is inspected? I am trying to troubleshoot a scenario where a connection should not be inspected but screenshots from customer show the firewall's DPI cert.

Category: High End Firewalls
Reply

Answers

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    "How can I work out if any given connection is inspected?"

    IIRC the UI doesnt provide any indicator of DPI SSL in the connection monitor or elsewhere unfortunately, so it really becomes a manual process.

    Work your way from the Zone setting, to access rules, to exclusions. Temporarily disable DPISSL at each step and verify the functionality changes with the end user.

    Thats probably as good as its gonna get.

  • A_ElliottA_Elliott Enthusiast ✭✭

    I typically go to the DPI-SSL page, then go to the tab "Common Name", and then hit "show connection failures". From the list, I can then exclude specific URLs from DPI.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    "show connection failures"

    Unfortunately on this system, with a user count in the hundreds, there is exactly one connection failure. This is unbelievable given that at sites with 5 users I might see tens of failures listed.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    Work your way from the Zone setting,

    The zone where this happened does not have DPI-SSL enabled, so in theory this is impossible, right? AFAIK if neither the source or destination Zone has "DPI SSL Client" enabled, then it should never be re-encrypted.

    The customer has sent screenshots from a phone showing the firewall's inspection cert being used for services on the internet. I have access to only the firewall and no other network infrastructure so I cannot prove that a BYOD client might have accidentally ended up in a zone with DPI-SSL due to some network misconfiguration. Hence my question about how to see from the firewall itself what it's actually doing with any given connection.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    "I have access to only the firewall and no other network infrastructure so I cannot prove that a BYOD client might have accidentally ended up in a zone with DPI-SSL due to some network misconfiguration"

    Tough situation. I would request a screenshot from the device showing its IP address(es) and what SSID its connected to when the issue occurred. At least then you could see what zone the device is in.

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    How can I work out if any given connection is inspected?

    I think I might have an answer but would be grateful if my peers could try to validate this one for me….

    Connection Monitor. Change destination port to 80, Flow Type to HTTPS. Every firewall I've checked, this looks like DPI-SSL. Firewalls with DPI-SSL disabled have not yet ever shown me any matching connections.

Sign In or Register to comment.