DPI-SSL FQDN Exclusion list
GrahamBarnes
Newbie ✭
We manage several hundred SonicWALLs for as many Customers.
Each SonicWALL is configured to use Dynamic External Address Group (FQDN) and download a txt that we host.
This was great for us as we could edit one text file which then gets downloaded to many SonicWALLs.
This DEAG was used as a DPI-SSL Exclusion Group Object to bypass DPI-SSL.
However, we were using wildcards in the FQDN to reduce the number of objects in the DEAG but have since discovered this is not supported.
I just wondered how you manage DPI-SSL site exclusions for your SonicWALLs without updating them individually?
Category: Mid Range Firewalls
1
Answers
Please open a support ticket on mysonicwall.com and note in the ticket to have it assigned to Michael Bischof, add the URL to this community post in the support ticket and I will dig into this and let you know what we can do.
This issue is still applicable several years later. You have multiple conflicting articles. Originally, adding a period in front of the domain acted as a wildcard, for example, ".apple.com" would exclude apple.com and ALL subdomains. In your own documentation you have provided this. In your own DPI-SSL Whitelist file, you have it configured. This worked at some point prior to 2022, it seems, and then stopped.
Honestly, I have reported so many bugs related to DPI-SSL over the last several years it's almost like we have been beta testing this functionality. I expect that people aren't reporting issues anymore because they just outright stopped using the functionality, which is kind of sad because this doesn't really work for security services these days without it. Checking /r/sonicwall it seems most have just given up.