Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Trying to properly configure, test, and then deploy DPI-SSL Client but I'm unclear on a few things

First, I'm on SonicOS 6.5.4.8-89n with two NSA 3600's in an HA pair. I've been trying to read through as many SW KB articles as possible but I'm still unclear on somethings. I mainly want to enable DPI-SSL since I've realized that my IDS/IPS and reporting/analytics is pretty much useless without it since I'm currently only seeing HTTP traffic. The plan is to use it with as much as possible (all user computers and network servers's WAN traffic). So I want to enable it and first test with some computers, starting with a single one called IT-LT.

I've looked at:


Questions (see attached screenshots for additional details/info);

  1. When I click "Enable SSL Client Inspection, and then click any of the items below it, I understand that I need to reboot the Sonicwall, is that correct?
  2. Are my Exclusion/Inclusion settings correct? - I just want to test on system named IT-LT, which is an Address Object for a FQDN host on the network
  3. In Network Zones, I see that DPI-SSL Server is currently checked green which I'm not sure if that was a mistake from the previous admin or what. I assume DPI-SSL Client needs to be checked green for WAN and any other zones I want it enabled on, right? I just want to more fully get protection and reporting on Internet traffic to/from user computers and servers - do I need to enable it on those zones too?


Category: Mid Range Firewalls
Reply

Answers

  • prestonpreston All-Knowing Sage ✭✭✭✭

    Hi @lostbackups , yes enable the services, make sure you have deployed the DPI-SSL Cert and reboot the Sonicwall and also restart the browser on the test PC,

    Ignore the Server DPI-SSL this is for incoming connections to mail/web servers

    also create a firewall rule to blick outgoing UDP 443 (google Quic protocol) other wise the DPI-SSL will not work correctly with Chrome or Edge.

  • You suggest blocking UDP 443? I just checked and we actually have a few rules explicitly enabling it from PC VLAN to WAN for Google QUICK. I don't know anything about the QUICK protocol so I'll have to do some reading. Does a Sonicwall KB article mention the suggestion of blocking it?

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    QUIC is Google's lossy implementation of HTTPS. Its been made a standard (unfortunately), but as PRESTON mentioned it can cause issues with DPI-SSL functioning correctly with Chromium-based browsers.

    There's a reason PRESTON mentioned it.

    Since it was just ratified into a standard in May, I doubt any companys DPI-SSL can handle it completely just yet.

  • Gotchya. Yeah I have been reading up on it. I'll look into blocking that after hours since I don't want to mess up people's Chrome sessions right now.

    I assume blocking that will cause Chrome to revert to using regular TCP then so blocking it should be a non-issue.

Sign In or Register to comment.