Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

Not all domains are blocked properly

Hi Community

We use SonicWall NSa 2650 and had configured Forbidden List contains blocked domains in URL List Objects.

Then we have configured CFS Action Objects and connect them both in CFS Profile Objects.

For some domains this works properly and we can see HTML page configured in CFS Action Objects.

But for some domains we can see only HTML error message. I have noticed two different errors - one in Mozilla FF (DNS_PROBE_FINISHED_NXDOMAIN, PR_CONNECT_RESET_ERROR) and the second one in Chrome (ERR_CONNECTION_RESET) - this happened for example for open.fm domain.

Could you please advice me, what I'm doing wrong and why not every domain listed in Forbidden List has the same action?


Best regards, Michal

Category: Firewall Security Services
Reply

Best Answers

Answers

  • MichalMichal Newbie ✭

    Hello SHIPRASAHU93

    Thank for all of your suggestion. I have read topics about DPI-SSL and as i see we must decrypt packets from VPN Users to Fierewall to verify content and firewall rules.

    My doubt is firewall' performance becouse this kind of operations (crypt/decryp) always use lot of performance.

    I see also checkbox: Allow SSL without decryption (bypass) when connection limit exceeded

    Thus i imagine that we need to limit number of connections to keep good firewall performance, do I have righ?

    Thank you in advance for help

    Best regards, Michal

  • @MICHAL - Yes, you are right. Each appliance model will have its own connection limit for DPISSL. When connections go beyond this limit and if the checkbox "Allow SSL without decryption (bypass) when connection limit exceeded" is enabled, the DPISSL doesn't get apply to further SSL connections via the SonicWall. If this checkbox is disabled, then the further SSL connections are dropped by the SonicWall.

    Regards

    Saravanan V

    Technical Support Advisor - Premier Services

    Professional Services

Sign In or Register to comment.