DPI-SSL Exclusions, Show Connection Failures, and Other Suggestions
I'm surprised that there still isn't a way to export all the custom entries for Common Name Exclusions/Inclusions. A lot of times I want to use many of the same entries in different customer firewalls, so I have to manually add them all. Best I can do is keep a master list on my PC and paste it into the Add box with the proper formatting.
Also, some kind of time-stamping of the connection failures that would at times make troubleshooting a little easier.
Lastly, one of my great frustrations with DPI-SSL is when sites/connections get blocked and there is no indication under Connection Failure or Event Logs, yet if I disable DPI-SSL the problem goes away. What types of DPI-SSL blocks aren't recorded and why not? Can there be a management over-ride function at the browser that doesn't require going into the firewall and disabling DPI-SSL for everyone, or doing a temporary exclusion?
Comments
Hello @xdmfanboy,
All of them are wonderful suggestions.
1) I usually use the TSR of the firewall and make a list of the exclusions as a TXT file and then just paste all the contents while adding the same exclusions on a different firewall. But, I know it would be easier if there is an import option as available for CFS URI lists.
2) I am sure the time stamp info is available and the reason it is not shown up is show one common name failure once, although multiple computers might be going there and running into the same problem. With displaying time stamps, that info needs to be updated for every new failure that takes place. But, I understand your concern and this might be useful while troubleshooting.
3) For the override, if we do not see the Connection failure or logs, it would be best to use IP-based exclusions from the source facing the issue rather than turning OFF DPI SSL to verify. If you have any scenario that was affected by DPI SSL and did not show up, let the support know so that we can inform these things back to engineering and they can take care of it.
For all enhancements, you can contact SonicWall Sales and they can reach out to Engineering with those requests so that we can have these added on our upcoming firmware versions.
Thank you!
Shipra Sahu
Technical Support Advisor, Premier Services
@shiprasahu93 , curious to know what you mean by "did not show up"?
I just had an extended tech support email thread for two weeks with Datto about a cloud-managed network switch that was not reporting back. At the client's site, and after an hour with Datto support helping me reflash the firmware and reset the device, nothing worked. As a last resort, I got their data center IP addresses and ran a packet capture - sure enough it was reporting failures. There was NO indication in the Log that the transmissions were failing.
Near the end of a 30 minute web session with a SonicWall tech later that night, she turned off DPI-SSL and the device re-appeared in the web console. Turns out I had to add those IP addresses to the exclusion list.
As far as I was concerned, this was hidden...
@Larry,
I meant that the connection failures did not appear although DPI SSL was creating the problem. This is an amazing example. Do you have the case number handy or have additional data taken during the issue so that we can see why is wasn't showing up under Connection failures, although was breaking the connection.
I am working on my end to look through these kind of scenarios.
Thanks!
Shipra Sahu
Technical Support Advisor, Premier Services
@shiprasahu93 - no one went into the "Connection Failures" dialog.
I'm looking at that function now and do not see any reference to the IP addresses of the DCs nor the device. Although I do see all the failures of my laptop because I didn't have the SonicWall certificate installed in my browser when I started working on this.
But this is another, I'm going to call it, "antagonistic tendency" associated with SonicWall's advanced features.
Right now, having forgotten my DPI-SSL training from months ago, and it having been a late Thursday night, I'm confused. There is no reporting on this and there are no date stamps for the entries. As an MSP am I supposed to remote in to each client's device to see what the list is, then make any necessary adjustments, then clear it out? Am I supposed to do this every single day? How is it that possibly effective? Are there any other approaches to ensuring that things don't fall down when this feature is enabled?