Professional Documents
Culture Documents
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=836...
Question/Title
UTM: Configuring SonicWALL DPI-SSL with Application Firewall
Answer/Article
Feature/Application:
DPI-SSL:
Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWALLs Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic. The following security services and features are capable of utilizing DPI-SSL: Gateway Anti-Virus Gateway Anti-Spyware Intrusion Prevention Content Filtering Application Firewall Packet Capture Packet Mirror Normally, without DPI-SSL, HTTPS traffic cannot be blocked by SonicWALL Security Services. However, with SonicWALL DPI-SSL feature, the SSL traffic is transparently decrypted by the SonicWALL for inspection, thus enabling SonicWALL to inspect traffic and enforce any Security Services prevention on it. Application Firewall Application firewall scans application layer network traffic as it passes through the gateway and looks for content that matches configured keywords. When it finds a match, it performs the configured action. It can match text or binary content. When you configure application firewall, you create policies that define the type of applications to scan, the direction, the content or keywords to match. You could also optionally define the user or domain to match, and the action to perform. Application firewall can be very effective for certain types of email control, especially when a blanket policy is desired. For example, you can prevent sending attachments of a given type, such as .exe, on a per-user basis, or for an entire domain. This article illustrates the method to block email attachments with certain extensions when a mail server uses a secure connection, using Application Fireawall with DPI-SSL enabled.
In this section we will enable DPI-SSL Client Inspection. The Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN. For the purpose of this article we will be using Default SonicWALL DPI-SSL Certificate Authority (CA) Certificate as the re-signing authority. Users should be instructed to add the certificate to their browsers trusted list to avoid certificate trust errors. Login to the SonicWALL Management GUI Navigate to DPI-SSL and click on Client SSL. On the Client SSL page, check the box under Enable SSL Client Inspection. Check the box under Gateway Anti-Virus. Now that DPI-SSL Client Inspection is enabled, SonicWALL will be able to enforce GAV on the clear-text portion of the SSL encrypted payload passing through it.
1 of 6
2/20/2013 2:58 AM
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=836...
To import the certificate into a browser, do the following: Internet Explorer: Go to Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard will guide you through importing the certificate.
2 of 6
2/20/2013 2:58 AM
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=836...
Firefox: Go to Tools > Options, click the Advanced tab and then the Encryption tab. Click View Certificates, select the Authorities tab, and click Import. Select the certificate file, make sure the Trust this CA to identify websites check box is selected, and click OK.
Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.
3 of 6
2/20/2013 2:58 AM
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=836...
Note: You could add more extension for other file types to the application object we created.
4 of 6
2/20/2013 2:58 AM
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=836...
How to Test:
To test this scenario send a mail from your POP or mail server account with one of the attachments listed under the application object created. Similarly send yourself a mail from another account with one of the blocked attachments. Make sure the incoming and outgoing mail server port numbers are SSL enabled. For the purpose of this article we use Outlook Express configured with a Gmail POP account.
in the outlook 2007 tools>account settings>change>more settings>advanced here you will see SMTP and POP3 ports which check boxes to enable secure connection if secure connection(SSL or TLS) is not enabled then Application Firewall will , ANYWAYS, be able to block(or take whatever action specified) the emails. if secure connection((SSL or TLS) is checked(make sure it is checked for both smtp and pop3) then we will need DPI SSL> Client SSL
You should see alerts similar to the ones shown below in the log.
5 of 6
2/20/2013 2:58 AM
https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=836...
See Also:
UTM: SonicOS Enhanced 5.6 DPI-SSL Feature Module (PDF)
Related Items
UTM: SonicOS Enhanced DPI-SSL Feature Module (5.6 onwards)(PDF)
6 of 6
2/20/2013 2:58 AM