Comments

• No sorry that does not help. I know very well how to create address objects and so forth. That is a manual process to be added AFTER THE FACT. I need to be able to block users from accessing IP Based websites at the time of attempt, not later.

  in Blocking IP websites Comment by jst3751 October 2020
• Unfortunatly there is an issue in 6.5.3.x that we were experiencing that required us to go to a newer version per Sonicwall support.

  in DPI-SSL logging Comment by jst3751 September 2020
• Thanks

  in Logging of CFS Confirm Comment by jst3751 July 2020
• I realize it "should not matter" but I am working on resolving constant events being logged in the Windows Server application log concern certificate mismatch. I wanted to make sure before investigating that problem that it was not somehow caused or tied to different cipher suites being used.

  in DPI-SSL Server cipher suites Comment by jst3751 June 2020
• Wow thanks for finding that great discussion. So once again Microsoft thinks they are better than everyone else by including a bit of information neither required or desired in that field.

  in DPI-SSL Server cipher suites Comment by jst3751 June 2020
• More information: I am trying to figure out what the difference is in implementation between these cipher suites: TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P384 TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384_P521 The first one is an available cipher suite in a Sonicwall NSA 2600 with firmware…

  in DPI-SSL Server cipher suites Comment by jst3751 June 2020
• Support case number 43429731

  in DPI-SSL Client exclusions Comment by jst3751 June 2020
• OK, now that opened up another problem avenue. I am already forcing SSL checks as if the Intermediate was needed it would be failing regardless of DPI-SSL (Firewall Settings, SSL Control) Checking what certificates I have on the firewall, I see I already have that intermediate installed. HOWEVER, the certificate path is…

  in DPI-SSL Client exclusions Comment by jst3751 June 2020
• https://ace.cbp.dhs.gov/

  in DPI-SSL Client exclusions Comment by jst3751 June 2020
• NOW, here is another interesting tidbit: In Client DPI-SSL, if I uncheck "Always authenticate server before applying exclusion policy" then that website works. Again, regardless of what exclsion/inclusion objects I have selected on the Objects tab.

  in DPI-SSL Client exclusions Comment by jst3751 June 2020
• OK, this is even wierdererer than that: If I disable SSL Client Inspection on the zone, that website works fine. However NO DPI-SSL Client settings are applied to anything in that zone. If I enable SSL Client Inspection on the zone, enable DPI-SSL Client, that website gets blocked for ALL no matter what exclusion/inclusion…

  in DPI-SSL Client exclusions Comment by jst3751 June 2020
• All of the address objects are in the LAN zone. "Enable DPI-SSL Enforcement Service" IS NOT checked "Enable SSL Client Inspection" IS checked

  in DPI-SSL Client exclusions Comment by jst3751 June 2020
• IF the logic being used is AND then ONLY the 2 address objects within the group "2_ DPI-SSL TEST GROUP" should be applied. BUT, I am having a big problem. There is only 2 address objects in the group "2_ DPI-SSL TEST GROUP" and neither 192.168.100.143 nor 192.168.100.210 are included. I have an exception for…

  in DPI-SSL Client exclusions Comment by jst3751 June 2020
• OK I am doing testing now as I had an odd problem on Friday afternoon when it appears that DPI-SSL Client was being enforced upon an user that it should not have. In the mean time, I am seeing an undesired issue: In DPI-SSL Client on the Common Name tab, you can click on "SHOW CONNECTION FAILURES" but when you do so,…

  in DPI-SSL Client exclusions Comment by jst3751 June 2020
• Why wasn't a retraction email then sent out? That would have cleared up things for everyone.

  in Can't find 6.5.4.6 firmware download Comment by jst3751 May 2020
More Comments