Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

DPI-SSL - Webpages don't finish loading

Hi, we have a customer that has a TZ 570 and DPI-SSL that's been configured and running for a few years (reasonably happily!).

They've come to us recently reporting that some websites don't appear to complete their loading process. On the browser tab we see the spinning icon continually spinning. Pinpointed to DPI-SSL being the culprit by disabling temporarily and the page load completes; to confirm the browser was reset in case there was caching.

A couple of example websites we've tested with include euronews.com and autotrader.co.uk. It's typically websites with multiple ads embedded. Checking the sources in the browser uncovers (what we think) is the issue. There are multiple domains associated with the website, most unrelated to the parent domain name. The SonicWALL is obviously not going to be aware of these sites and almost impossible to exclude if all sites are like this.

See the attached image for example.

Has anyone seen this with DPI-SSL or knowledge of how we overcome it?

Thanks.


Category: Mid Range Firewalls
Reply

Answers

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @StuartBooth I can confirm similar trouble even on a NSa 4700 with activated DPI-SSL. I didn't had the time to dig into it, but it looked that sites with heave usage of ADs re impacted most, like newspaper sites etc. This might be the same in your case.

    Browser Developer tools are helpful here, because you could see in the network activity that some requests are taking forever to finish.

    I already created a bunch of common name exclusions which helped a lot, but there were to many exclusions to make so the customer decided to take a break from DPI-SSL.

    --Michael@BWC

  • LarryLarry All-Knowing Sage ✭✭✭✭

    In some cases, using the AdBlock Plus extension from the Google Chrome store may help reduce the initial download of some of the debris, resulting in a completed page. I suggest this as a means of possibly bypassing the problem, not solving it.

  • Thanks both. Sounds like we're possibly in the right area with this one ...unfortunate as that is!

    AdBlock has been suggested as it's something the customer has used with previous employers but doesn't appear to have much of an impact and as you mention is a workaround rather than resolution.

    Tricky to get a resolution to this particular issue it would seem. With the fluidity of a website changing daily, or by the minute it'll be almost impossible for the SonicWALL to be intuitive enough to keep up. Or administrators with the exclusions ;-)

    Have either of you reached out to SonicWALL support on this?

  • BWCBWC Cybersecurity Overlord ✭✭✭

    @StuartBooth I did not raised this situation with Support, because it can be a challenging to deal with sometimes and I wasn't ready for that 🤐

    IMHO DPI-SSL is on the downfall and the time I'll spend with it is decreasing.

    --Michael@BWC

  • TKWITSTKWITS Community Legend ✭✭✭✭✭

    To throw my two cents in:

    Rely on straight DPI-SSL exclusions, not on the Common Name exclusions.

    Don't forget about CDNs.

    Read up on SSL Pinning.

    @BWC DPISSL on the downfall? Do tell!

Sign In or Register to comment.