is DPI-SSL a must have now?

Our firewall has Capture APT and all the other security services. However, if I click on DPI-SSL I get a message:
SonicWall DPI-SSL enables inspection and protection of client and server encrypted Secure-Socket-Layer (SSL/TLS) connections, allowing these connections to be scanned by SonicWall Security Services including: Intrusion Prevention, Gateway Anti-Virus, Gateway Anti-Spyware, Application Firewall and Content Filtering Premium Edition.
Am I correct to assume that none of the security services on the firewall will find anything if the connection is encrypted? And if so, now that most of internet traffic is encrypted, do we need to purchase DPI-SSL upgrade to actually be protected?
Best Answers
shiprasahu93 Moderator
Hello @AIT,
We can check the headers but most of the time, the malware is hidden in the payload, due to which DPI SSL is essential for encrypted sessions.
For all Gen 6devices, DPI SSL can be enabled from the mysonicwall account. Which device are you using?
Shipra Sahu
Technical Support Advisor, Premier Services
1 -
shiprasahu93 Moderator
That is right. There are ways that this can be pushed via a group policy etc. Please take a look at this KB for more details.
Shipra Sahu
Technical Support Advisor, Premier Services
I am using TZ400. What I am wondering is if, without DPI SSL licensed and enabled, does the TZ400 protect against anything at all? We do have Capture ATP but what good would that be if it can't scan encrypted traffic?
In that case, you can activate the DPI SSL license on the mysonicwall account. It is made available for free on all Gen 6 appliances. Without it, the firewall can only check the unencrypted traffic.
Shipra Sahu
Technical Support Advisor, Premier Services
Are the TZ300 and TZ400 6th generation appliances?
What about the Soho?
Yes, TZ 300 and TZ 400 are Gen 6 appliances. SOHO is a Gen 5 appliance.
Shipra Sahu
Technical Support Advisor, Premier Services
Thanks! I was able to turn it on now.
So do we have to add the Sonicwall security certificate to all the computers to make this work?
Thank you for your time!
Glad I could help. Have a good one!
Shipra Sahu
Technical Support Advisor, Premier Services
What about mobile devices like iPhones? Will those need the Sonicwall security certificate too? Or can we apply DPI-SSL to only certain devices in the LAN?
Use the include/exclude options in the DPI-SSL settings to control what gets DPI'd and what does not.
Practically speaking, you need to segregate your network first to be able to do this effectively: put the things you manage and can install your cert on in different networks to everything else [eg guest devices go in a guest VLAN, corp devices go in a corp VLAN, only include the corp VLAN in DPI-SSL].
Or you can do slightly "lazier" things, like give all the stuff you intend to DPI fixed IPs in a range, create an address object for that range and only apply DPI-SSL to that. Quick and dirty!
The above also applies if you're using SSO agent as well, there is usually a lot of overlap between the two areas.
You can install SW's certificate on IOS and Android devices, but it's a bit of a PITA to do a bunch of them without some expensive software. Unless it's a company device I'd make a SSID that parks them on a subnet without DPI-SSL. I do that for a library system client of mine.