Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

DPI-SSL Client exclusions

This is on a NSA-2600

I am working on implementing DPI-SSL and have a question about the order of inclusion and exclusion works.

If I change AddressObject include from ALL to a addressobjecttestgroup, and then change Userobject include from all to a usertestgroup, how will the Sonicwall react?

The desire will be to allow any computer in the addressobjecttestgroup OR in the usertestgroup.

Not "AND"

Category: Mid Range Firewalls
Reply

Answers

  • SaravananSaravanan Moderator

    Hi @JST3751,

    Hope you are good.

    DPI-SSL follows AND logic when more than one parameter is considered for inclusion or exclusion.

    Let me refer your objects with some values to explain the scene better.

    addressobjecttestgroup = 10.10.10.10

    usertestgroup = SonicWall

    In your scenario, the DPI-SSL gets applied only when the firewall sees the traffic from 10.10.10.10 (addressobjecttestgroup) with user logged into 10.10.10.10 as "SonicWall". This corresponds to AND operation.

    Hope this helps.

    Have a better day!!!

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Hello @jst3751,

    As explained by @Saravanan1990_V above, the global inclusions and exclusions under DPI SSL use an AND logic.

    We have enforcement available on zone levels post 6.5.3.x firmware. So, one of the things that you can do to achieve OR capability is keeping the address group on a separate zone and use the User group alone on the global settings.

    I hope this can help you somehow to make it a little easier to test.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • NevyadithaNevyaditha Moderator

    Hi @jst3751 ,

    To add to the above information, you can also enable the DPI-SSL Client or disable it baased on access rules for more granular control.

    When the Disable DPI-SSL Client option is enabled in an access rule, traffic matching the access rule is not inspected by the SonicOS DPI-SSL service even when the Enable SSL Client Inspection option is enabled on the MANAGE | Security Configuration | Decryption Services | DPI-SSL/TLS Client page.

    Nevyaditha P

    Technical Support Advisor, Premier Services

  • jst3751jst3751 Newbie ✭

    OK I am doing testing now as I had an odd problem on Friday afternoon when it appears that DPI-SSL Client was being enforced upon an user that it should not have.

    In the mean time, I am seeing an undesired issue:

    In DPI-SSL Client on the Common Name tab, you can click on "SHOW CONNECTION FAILURES" but when you do so, failures that are from DPI-SSL Server are also listed there. Is there a way to have DPI-SSL Server failures NOT be listed there?

  • @jst3751,

    The 'Show Connection Failures' shows all errors that took place during SSL negotiations whether the error took place on server side or client side. I also do not see any options to make changes to those View options.

    It would be best to contact support for this scenario as we can perform captures and check logs in real-time for further troubleshooting.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • SaravananSaravanan Moderator

    @JST3751 - Only way we could see no server failures is when the DPI-SSL is turned OFF or with any DPI-SSL exclusions.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • jst3751jst3751 Newbie ✭

    IF the logic being used is AND then ONLY the 2 address objects within the group "2_ DPI-SSL TEST GROUP" should be applied.

    BUT, I am having a big problem. There is only 2 address objects in the group "2_ DPI-SSL TEST GROUP" and neither 192.168.100.143 nor 192.168.100.210 are included. I have an exception for ace.cbp.dhs.gov. YET, that site is being blocked per the connection failure list.

    WHY???


  • SaravananSaravanan Moderator

    Hi @JST3751,

    Sounds weird and interesting too.

    Have you by any chance enabled DPI-SSL enforcement on the respective interface assigned Zone? The exact options that you should be looking for are "Enable DPI-SSL Enforcement Service" and "Enable SSL Client Inspection".

    Please give a try and let us know.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • jst3751jst3751 Newbie ✭

    All of the address objects are in the LAN zone.

    "Enable DPI-SSL Enforcement Service" IS NOT checked

    "Enable SSL Client Inspection" IS checked

  • SaravananSaravanan Moderator
    Hi @jst3751,

    Could you please disable SSL Client Inspection on the LAN zone and check? If you are facing same issue further, possible a real-time assistance is required. Please open up a support case and contact our Support Team for live troubleshooting session.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • jst3751jst3751 Newbie ✭

    OK, this is even wierdererer than that:

    If I disable SSL Client Inspection on the zone, that website works fine. However NO DPI-SSL Client settings are applied to anything in that zone.

    If I enable SSL Client Inspection on the zone, enable DPI-SSL Client, that website gets blocked for ALL no matter what exclusion/inclusion objects are set and even if I have an exclusion for that in common Name.

    In other words, no matter what I check or uncheck, if DPI-SSL Client is enabled that site does not work.

  • jst3751jst3751 Newbie ✭

    NOW, here is another interesting tidbit:

    In Client DPI-SSL, if I uncheck "Always authenticate server before applying exclusion policy" then that website works.

    Again, regardless of what exclsion/inclusion objects I have selected on the Objects tab.

  • @jst3751,

    That option is going to perform the SSL handshake with the server and make sure that the authentication is successful. It means that the certificate validation needs to take place. What is the website that you are having issues with?

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • Hello @jst3751 ,

    I tried this on my end and faced the same problem. It shows a Server error under connection failures.

    I found that the certificate chain is as below and once I imported the intermediate certificate on the firewall, I could access the website with no issues.

    So, basically when the SonicWall is trying to establish the SSL connection to that website, the certification chain validation is failing. The SonicWall does not store a all the certificates including intermediate certs like a usual browser and hence you might see these issues. If you are excluding a common name, I would suggest keeping this option disabled.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • jst3751jst3751 Newbie ✭

    OK, now that opened up another problem avenue. I am already forcing SSL checks as if the Intermediate was needed it would be failing regardless of DPI-SSL (Firewall Settings, SSL Control)

    Checking what certificates I have on the firewall, I see I already have that intermediate installed. HOWEVER, the certificate path is different for me.


    NOW, here is where I see a problem. On the "Entrust Root Certification Authority - G2" if I look at the serial number for that it is 51d34044" BUT the serial number of the BUILTIN certificate on the Sonicwall is :4A538C28"



    If you go to https://ssl-tools.net/subjects/cc6d221cf6b4552c2f87915f5afef0e1eece83cc you will actually see there are 4 different fingerprints for Entrust Certification Authority - L1K


  • Hello @jst3751 ,

    Yes, I did notice that on my end. For me as well, I first tested with just intermediate, then added the root as well and then removed the root cert and could still see the website working.

    SSL control intercepts the SSL handshake but is not going to perform the SSL handshake as a client. So, if the SonicWall does not have an intermediate cert, it should not affect the handshake as it is taking place between the browser and the server.

    We will be checking for the following parameters, but the certificate validation still happens on the client machine.

    So, having SSL control should not give you errors.

    This is a really good case and needs a lot of investigation. Feel free to reach out to our Support team so that we can help you in real-time.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • jst3751jst3751 Newbie ✭

    Support case number 43429731

Sign In or Register to comment.