Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

DPI-SSL & CFS (URI blok (domain)) Strange behavior What am I doing wrong.

ChusitoChusito Newbie ✭
edited February 20 in Firewall Security Services

Hello,
I have a situation I want to tell you about.
Version 7.1.3 (latest)
I have tested cleanly on a TZ470
Wan -Lan and DPI-SSL + CFS (Uri List) (Lab environment)
The test is, I want to block a Domain, my tests were “wetransfer.com”.
WITHOUT DPI-SSL the CFS blocks, certainly the access to the web.
(CFS -HTTPs enabled)
Now I prepare the DPI-SSL and install the certificate, and I make that in the categories of the CFS FOR DPI-SSL I do not inspect for category 77,(Online Personal Storage)
In this case, with this category excluded from the inspecion, YES you can access to this web.
The question is: The CFS with its blocking part (“BlakList”) of domain, is NOT taken into account when the DPI-SSL, works?
The logic would say that if I tell the CFS through the option to block domains, keywords, or URIS, it is still taken into account when the DPI-SSL has that domain (by category) without inspection.
This that I raise, is strange, it does not have logic, or that procedure will have to do, so that what I want to do, the firewall, does it.
Suppose I want Wetransfer.com to be blocked, BUT I do NOT want Google Drive, or DropBox, or any other to be blocked.

Can any of you confirm this behavior, or am I necessarily configuring something wrong.

Category: Firewall Security Services
Reply

Best Answers

  • CORRECT ANSWER
    TKWITSTKWITS Community Legend ✭✭✭✭✭
    Answer ✓

    IIRC, you must 'inspect' a category that includes related domains for a block/allow list to be applied. It's kind of illogical but thats how Sonicwall does it.

  • CORRECT ANSWER
    prestonpreston All-Knowing Sage ✭✭✭✭
    edited February 25 Answer ✓

    in the Policy/Security Settings/ CFS settings under CFS custom category, add the wetransfer.com domain as a different category (one that you are inspecting and is blocked by CFS ) make sure you enable Enable CFS Custom Category

    Then when you go to the site next time it will be blocked. if using DPI-SSL with 7.1.3 you need a HF from support or you will have issues anyway as there are known bugs with 7.1.3 and DPI-SSL

Answers

  • Fulgen73Fulgen73 SonicWall Employee
    edited February 25
  • ChusitoChusito Newbie ✭
    edited February 26

    Thank you all for your responses and reflections.

    The Preston Solution, it seems that it DOES cause the domain to lock, whether I have DPI-SSL active or not.

    By leaving the “URI LIST CONFIGURATION” part without effect and undoing any action in this block. (Forbidden URI List → None)

    We will see what the customer says about this “solution”.

    Once again thank you all for your time.

Sign In or Register to comment.