This is an old revision of the document!
How Can I Configure Client DPI-SSL
Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWall's Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.
The following security services and features are capable of utilizing DPI-SSL:
Gateway Anti-Virus Gateway Anti-Spyware Intrusion Prevention Content Filtering Application Firewall Packet Capture Packet Mirror
RESOLUTION:
Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.
A commonly used certificate is the Default SonicWall DPI-SSL Certificate Authority (CA) Certificate . This certificate should be added to the browser to eliminate certificate trust errors. In the case of Chrome and IE, this is a part of the Windows Certificate Store, however for Firefox, this has to be added manually.
- Login to the SonicWall Management GUI.
- Navigate to Manage | Deep Packet Inspection | SSL Client Deployment.
- On the Client SSL page, check Enable SSL Client Inspection..
- Once DPI-SSL Client Inspection is enabled, SonicWall will seamlessly and transparently decrypt all SSL traffic passing through it. You will be able to apply Security Services on the clear-text portion of the SSL encrypted payload passing through it.
o avoid certificate trust errors and to enable the re-signing certificate authority to successfully re-sign certificates, browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list. In the Manage | Deep Packet Inspection | SSL Client Deployment | Certificate page, click on the (download) link to download the Default SonicWall DPI-SSL.
Certificate Authority (CA) Certificate:
NOTE: It is recommended to use 2048 bit DPI-SSL certificate instead of 1024 bit certificate
As computer power increases, anything less than 2048-bit certificates are at risk of being compromised by hackers with sophisticated processing capabilities. The cybersecurity industry is moving to stronger 2048-bit encryption to help preserve internet security
Internet Explorer:,Navigate to Tools | Internet Options, click Content tab and click Certificates.
Click Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard will guide you through importing the certificate.