Menu

Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Sign In Register

CATP and DPI-SSL

xdmfanboyxdmfanboy Newbie ✭
edited October 2020 in Firewall Security Services

Rather than add to old threads on CATP figured to start new. It seems the service is going downhill, not sure whether undersized platform doing the sandboxing on SW's end or recent firmware on the firewalls. Seems to have gotten worse on 6.5.4.6-79n and even more so on 6.5.4.7.-83n, but could just be ramped up load on SW's site. Nearly all PDFs get blocked, but may get a partial display before it goes away to an error (despite BUV), then when retry get the scan window, which takes FOREVER and a day. The PDFs are from many different sites. The product is becoming unusable, and customers are increasingly annoyed. Of course since DPI-SSL is such a PITA I've been forced to turn it off at many sites, which reduces the number of issues with CATP because of all the encrypted content it can no longer scan and therefore get hung up on.

DPI-SSL seems to be blocking more and more sites, and I would think that more, not less, sites are now in compliance with certificate requirements. Most of the time there is no mention under Show Connection Failures.

Both of these features have cost me countless unbillable hours.

Category: Firewall Security Services
Reply

Answers

  • SaravananSaravanan Moderator

    Hi @XDMFANBOY,

    We regret that your experience with SonicWall is unpleasant. As per the post description, the issue is priority and needs to be dealt in real-time. Please approach our support team for immediate assistance.

    https://www.sonicwall.com/support/contact-support/


    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

  • Halon5Halon5 Enthusiast ✭✭
    edited October 2020

    @xdmfanboy

    It's sure is challenging. There are some practical ways to reduce the anxiety however...

    You can setup exclusions.. CFS Exclusions work well for that and you should probably choose lots of groups.

    In the end you are just looking to scan a download from a random link (maybe from an email that "got through") so there is no point in scanning business stuff.

    It will reduce the load on your firewall as well as your users ;)

    image.png


    Its also worth looking at SSL exclusions for all the bona fide sites, like "banks" the customers are working with.

    image.png


    It does work but if you are trying to just scan everything you will go mad.


    Sadly there is no way to easily replicate a common list across all your firewalls... [yet anyway]. We tried doing this with the CLI but it is pretty clumsy.


    Please accept my apologies if I am just telling you how to suck eggs.


    Steph,.

  • xdmfanboyxdmfanboy Newbie ✭

    Oh I've got TONS of exclusions for CATP and DPI-SSL. And yes, you point out another deficiency - no easy way to move your custom exclusions between firewalls. There should be an export/import function. As long as these features have been out I'm very surprised they haven't implemented this.

  • Halon5Halon5 Enthusiast ✭✭
    edited October 2020

    Hey @xdmfanboy

    oh dear.. telling you how to suck eggs then..

    well at least we are all in the same boat ! LOL.

Sign In or Register to comment.