Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

is DPI-SSL a must have now?

Our firewall has Capture APT and all the other security services. However, if I click on DPI-SSL I get a message:

SonicWall DPI-SSL enables inspection and protection of client and server encrypted Secure-Socket-Layer (SSL/TLS) connections, allowing these connections to be scanned by SonicWall Security Services including: Intrusion Prevention, Gateway Anti-Virus, Gateway Anti-Spyware, Application Firewall and Content Filtering Premium Edition.

Am I correct to assume that none of the security services on the firewall will find anything if the connection is encrypted? And if so, now that most of internet traffic is encrypted, do we need to purchase DPI-SSL upgrade to actually be protected?

Category: Firewall Security Services
Reply

Best Answers

Answers

  • AITAIT Newbie ✭

    I am using TZ400. What I am wondering is if, without DPI SSL licensed and enabled, does the TZ400 protect against anything at all? We do have Capture ATP but what good would that be if it can't scan encrypted traffic?

  • @AIT,

    In that case, you can activate the DPI SSL license on the mysonicwall account. It is made available for free on all Gen 6 appliances. Without it, the firewall can only check the unencrypted traffic.

    Thanks!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • AITAIT Newbie ✭

    Are the TZ300 and TZ400 6th generation appliances?

    What about the Soho?

  • Yes, TZ 300 and TZ 400 are Gen 6 appliances. SOHO is a Gen 5 appliance.

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • AITAIT Newbie ✭

    Thanks! I was able to turn it on now.

    So do we have to add the Sonicwall security certificate to all the computers to make this work?

  • AITAIT Newbie ✭

    Thank you for your time!

  • Glad I could help. Have a good one!

    Shipra Sahu

    Technical Support Advisor, Premier Services

  • AITAIT Newbie ✭

    What about mobile devices like iPhones? Will those need the Sonicwall security certificate too? Or can we apply DPI-SSL to only certain devices in the LAN?

  • ArkwrightArkwright All-Knowing Sage ✭✭✭✭

    Use the include/exclude options in the DPI-SSL settings to control what gets DPI'd and what does not.

    Practically speaking, you need to segregate your network first to be able to do this effectively: put the things you manage and can install your cert on in different networks to everything else [eg guest devices go in a guest VLAN, corp devices go in a corp VLAN, only include the corp VLAN in DPI-SSL].

    Or you can do slightly "lazier" things, like give all the stuff you intend to DPI fixed IPs in a range, create an address object for that range and only apply DPI-SSL to that. Quick and dirty!

    The above also applies if you're using SSO agent as well, there is usually a lot of overlap between the two areas.

  • xdmfanboyxdmfanboy Newbie ✭

    You can install SW's certificate on IOS and Android devices, but it's a bit of a PITA to do a bunch of them without some expensive software. Unless it's a company device I'd make a SSID that parks them on a subnet without DPI-SSL. I do that for a library system client of mine.

Sign In or Register to comment.