Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

DPI-SSL exceptions not honoured?

Simon_WeelSimon_Weel Enthusiast ✭✭
edited March 2022 in Firewall Security Services

DPI-SSL is giving me a head-ache. Excluding domains doesn't seem to work, since those domains still show up under the button Show Connection Failures. One of the things blocked is the Sonos app. We have a couple of Sonos appliances for ambient music in the office. They are controlled with an app Sonos Controller for PC. As soon as I switch on DPI-SSL, the music stops playing. When I look at the failed connections, it lists several domains, for example mnfts.ws.sonos.com and legato.radiotime.com. When I add those domains to the exclusions, they still pop up under failed connections? So either I'm doing something wrong, or it doesn't work the way I think it works....

Category: Firewall Security Services
Reply

Answers

  • prestonpreston All-Knowing Sage ✭✭✭✭
    edited March 2022

    @Simon_Weel , try also excluding

    legato.radiotime.com.cdn.cloudflare.net

    and also the IPs

    52.222.149.65

    52.222.149.119

    52.222.149.32

    52.222.149.110


    Also make sure the SonicWall DNS is pointing to the same DNS as your Clients or DNS Server forwarders

  • AjishlalAjishlal Community Legend ✭✭✭✭✭

    @Simon_Weel

    add the wildcard domain name.

    *.sonos.com, *.radiotime.com

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    Are these legitimate devices to have on the corporate network or should they be isolated to their own network where you can disable DPISSL (should be isolated...)? You have to also consider what security services you are using WITH DPISSL (GAV/GAS, IPS, etc.) and add exceptions to those.

  • Simon_WeelSimon_Weel Enthusiast ✭✭

    The devices themselves are not the problem - it's the app to control them giving problems. But you are right; it would be best to put those things in their own network. In which case they cannot be controlled with the app from within the LAN. Not necessarily a bad thing. We're going to plug them into the Wifi-network, which is NOT connected to the LAN, and control them with a smartphone app.

    This aside, what bothers me is the fact that DPI-SSL exclusions still fail to connect? I mean, if you add an exception for a domain, you would NOT expect that domain to be blocked anyway. And yes, I did change the domain name to use a wildcard.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    As Preston hinted at many services use CDNs to distribute traffic, rather than just a handful of IPs/FQDNs. What is likely happening is the CDNs are getting caught up in your security services.

Sign In or Register to comment.