Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

DPI-SSL Client SSL exclusion not working randomly

Configuration: NSA4700 active/passive cluster
Firmware: 7.0.1-5145

We have category based exclusion, common name exclusion and a exclusion list with fqdn exclusions. At least, the exclusion with fqdn sometimes not working. Normaly I open such website in the browser and there is the orginal certificate visible but sometimes there is the certificate of the Sonicwall.

Any ideas?

Category: High End Firewalls
Reply

Answers

  • prestonpreston All-Knowing Sage ✭✭✭✭
    edited April 26

    Hi Sonicw4ll, this is usually caused by the browser using the Quic Protocol and sending the traffic via UDP rather than TCP, you need to create an outbound access rule blocking UDP 443 (Google Quic Protocol) i.e. from LAN to WAN, Action = Deny, Service = UDP 443.

    Also make sure you have imported any missing Thirdparty CA certificates needed, you can usually tell if they are missing by going to DPI-SSL Client/Common Name/Show Connection Failures (there will be entries that say missing CA or unknown CA)

    Also check the DNS server that the firewall is pointing to is the same DNS Server as the client is using.

  • SonicW4llSonicW4ll Newbie ✭

    Hi Preston, thanks for these tips.

    There was a missing or unknown CA in "Show connection failures", I've added this to the exclusions. But I don't undersand this, I've already added the hostname in the address object exlusion group, why I've to add this additional in the common name section, what is the difference?

    It should not be a problem with Quic it's already disabled in the browser.
    The DNS server are the same.

Sign In or Register to comment.