Article Applies To:

SonicWALL Security Appliance Platforms:

Gen5: NSA E8510, E8500, E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 2400, NSA 2400MX, NSA 220, NSA 220W NSA 240, NSA 250M, NSA250MW
Firmware/Software Version: SonicOS Enhanced 5.6 and above
Services: DPI SSL, CFS


Feature/Application:

Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWALL’s Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.

The following security services and features are capable of utilizing DPI-SSL:

  • Gateway Anti-Virus
  • Gateway Anti-Spyware
  • Intrusion Prevention
  • Content Filtering
  • Application Firewall
  • Packet Capture
  • Packet Mirror

Normally, without DPI-SSL, HTTPS traffic cannot be blocked by SonicWALL Security Services. However, with SonicWALL DPI-SSL feature, the SSL traffic is decrypted by the SonicWALL for inspection, thus enabling SonicWALL to inspect traffic and enforce any Security Services prevention on it.  This article describes how to block https://www.facebook.com using SonicWALL Content Filtering when DPI-SSL is enabled. 


Procedure:

Enabling DPI-SSL Client Inspection for Content Filter

In this section we will enable DPI-SSL Client Inspection. The Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.

For the purpose of this article we will be using Default SonicWALL DPI-SSL Certificate Authority (CA) Certificate as the re-signing authority. Users should be instructed to add the certificate to their browser’s trusted list to avoid certificate trust errors.

  • Login to the SonicWALL Management GUI
  • Navigate to DPI-SSL and click on Client SSL.
  • On the Client SSL page, check the box under Enable SSL Client Inspection.
  • Check the box under Content Filter.

Now that DPI-SSL Client Inspection is enabled, SonicWALL will be able to apply Content Filter policies on the clear-text portion of the SSL encrypted payload passing through it.


Additing Trust to the Browser

To avoid certificate trust errors and to enable the re-signing certificate authority to successfully re-sign certificates, browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.

In the DPI-SSL > Client SSL page, click on the (download) link to download the Default SonicWALL DPI-SSL Certificate Authority (CA) Certificate.

To import the certificate into a browser, do the following:

  • Internet Explorer: Go to Tools > Internet Options, click the Content tab and click Certificates.
    Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import
    Wizard will guide you through importing the certificate.
 
  • Firefox: Go to Tools > Options, click the Advanced tab and then the Encryption tab. Click View
    Certificates, select the Authorities tab, and click Import. Select the certificate file, make sure the
    Trust this CA to identify websites check box is selected, and click OK.


  • Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

Configuring SonicWALL Content Filter

  • Navigate to the Content Filter page.
  • Click on Configure.
  • In the SonicWALL Filter Properties window, uncheck Enable IP based HTTPS Content Filtering
  • Click on the Custom List tab.
  • Click on Add under Forbidden Domains.
  • Enter www.facebook.com under Domain Name and click  OK.
  • Click on OK to save the settings. {In this scenario we will be using only the Default CFS policy.}
  • Navigate to Network > Zones.
  • Click on the configure button under the LAN zone.
  • Check the box under Enforce Content Filtering Service.{If CFS needs to be enabled on other zones, check the appropriate box under each zone }

 


How to Test:

Open a web browser and enter https://www.facebook.com
A CFS blocked page will appear as under. {If this is being done from the same computer as the one which is logged into the SonicWALL Mangement GUI, make sure you are logged out before testing.}

 


 



See Also:

UTM: SonicOS Enhanced 5.6 DPI-SSL Feature Module (PDF)