DPI-SSL Breaks HTTPS Management : SonicOS 7.1.2-7019
Anyone notice this?
I have a unit in the field that is WAN VLAN tagged 10.
When I go to manage it I get :-
***
net::ERR_CERT_INVALID
Your connection isn't private Attackers might be trying to steal your information from x.x.x.x (for example, passwords, messages or credit cards). NET=ERR_ CERT_INVALD
***
Cant get around it..
Doesn't happen on all my other Untagged circuits..
Turn off DPI-SSL on my own device and , "Hey Presto".
Not sure if it is the tagging or something else. Most our WAN circuits are just Untagged so no problem but the largest ISP's in the country generally VLAN tag 10.
I had the problem on another "new" circuit that was tagged 10. Same issue until it was untagged.
FIRMWARE :
SonicOS 7.1.2-7019
Just Sayin..
Answers
So you are saying you are behind a Sonicwall with DPISSL Client enabled and enforced, and when you browse to the HTTPS management page of a DIFFERENT (or SAME) Sonicwall you end up with the CERT_INVALID result?
Just trying to understand the situation.
Hey There,
Yes I am behind a SNWL TZ370 on my office Zone which has DPI-SSL and services enabled. (Problem goes away when DPI-SSL is disabled)
My customer has a new TZ270 with a WAN circuit on a Sub-Interface VLAN 10. This is the SNWL I try to manage with HTTPS.
I'm have only seen this on SNWL's with WAN on VLAN 10 (the other "far" SNWL was v6.5 too).
This might represent a far bigger problem to a partner in my country where VLAN 10 is common on the WAN circuit.
Thanks, Steph.
I can understand the cert invalid on the management interface unless its been changed uses a self signed with cert 192.168.168.168
You get the same on a browser
Create an exception to DPISSL for the IP address of your client's Sonicwall WAN interface, then try again. It's possible Content Filter or SSL Control features of the Sonicwall you are behind could also affect the connection.
Since you get the invalid cert message in your browser it seems the traffic is already passing. Most browsers allow you to create an exception for, or bypass, an invalid cert. Are you unable to do that?
Hiya,
It's not really appropriate and these systems have been in place a VERY long time.
Don't see why I shouldn't be able to manage SonicWALL firewalls from a SonicWALL firewall with DPI-SSL enabled.
I am now going to open another case on our NSA2700 which is having issues with managing ALL firewalls with DPI-SSL turned on.
sigh…
Another thing is that DPI-SSL (SSL Client Inspection) doesn't work well in SonicWall. I had to add exclusions for almost all IPs of Android devices. With DPI-SSL enabled, nothing worked - especially applications.
Hi Marius,
When it works it's pretty useful, but it sure has its problems, and they are sometimes introduced with firmware updates.
Are you aware that you can set Content Filtering options to exclude site categories? That helps with the sheer number of exclusions that you need to do. Then just exclude out Bonafide high level domains for your country.
When it's broken its real problem though.
In the end you are just trying to catch that UNUSUAL TRANSMISSION.
Thanks, Steph.
OK. Turns out nothing to do with VLAN 10.
Found that we had already had DPI-SSL exclusions set for many static IP's. Worked through a case with SNWL.
According to support there is no way out. Either set an exclusion by IP (which would work for static's) or generate and add a certificate for the firewall in question.
😔