UTM: Configuring SonicWALL DPI-SSL with Application Firewall

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=836...

Question/Title
UTM: Configuring SonicWALL DPI-SSL with Application Firewall

Answer/Article

Article Applies To:

SonicWALL Security Appliance Platforms: Gen5: NSA E8500, NSA E7500, NSA E6500, NSA E5500, NSA 5000, NSA 4500, NSA 3500, NSA 240 Firmware/Software Version: SonicOS Enhanced 5.6 and above Gen5: NSA 250M, NSA 250MW, NSA 220, NSA 220W Firmware/Software Version: SonicOS Enhanced 5.8.1.2 and above Services: DPI SSL, Application Firewall

Feature/Application:
DPI-SSL:

Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWALLs Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic. The following security services and features are capable of utilizing DPI-SSL: Gateway Anti-Virus Gateway Anti-Spyware Intrusion Prevention Content Filtering Application Firewall Packet Capture Packet Mirror Normally, without DPI-SSL, HTTPS traffic cannot be blocked by SonicWALL Security Services. However, with SonicWALL DPI-SSL feature, the SSL traffic is transparently decrypted by the SonicWALL for inspection, thus enabling SonicWALL to inspect traffic and enforce any Security Services prevention on it. Application Firewall Application firewall scans application layer network traffic as it passes through the gateway and looks for content that matches configured keywords. When it finds a match, it performs the configured action. It can match text or binary content. When you configure application firewall, you create policies that define the type of applications to scan, the direction, the content or keywords to match. You could also optionally define the user or domain to match, and the action to perform. Application firewall can be very effective for certain types of email control, especially when a blanket policy is desired. For example, you can prevent sending attachments of a given type, such as .exe, on a per-user basis, or for an entire domain. This article illustrates the method to block email attachments with certain extensions when a mail server uses a secure connection, using Application Fireawall with DPI-SSL enabled.

Procedure: Enabling DPI-SSL Client Inspection for Application Firewall

means smtp/pop3 over ssl

In this section we will enable DPI-SSL Client Inspection. The Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN. For the purpose of this article we will be using Default SonicWALL DPI-SSL Certificate Authority (CA) Certificate as the re-signing authority. Users should be instructed to add the certificate to their browsers trusted list to avoid certificate trust errors. Login to the SonicWALL Management GUI Navigate to DPI-SSL and click on Client SSL. On the Client SSL page, check the box under Enable SSL Client Inspection. Check the box under Gateway Anti-Virus. Now that DPI-SSL Client Inspection is enabled, SonicWALL will be able to enforce GAV on the clear-text portion of the SSL encrypted payload passing through it.

1 of 6

2/20/2013 2:58 AM

UTM: Configuring SonicWALL DPI-SSL with Application Firewall

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=836...

Additing Trust to the Browser

To avoid certificate trust errors and to enable the re-signing certificate authority to successfully re-sign certificates, browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list. In the DPI-SSL > Client SSL page, click on the (download) link to download the Default SonicWALL DPI-SSL Certificate Authority (CA) Certificate.

To import the certificate into a browser, do the following: Internet Explorer: Go to Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard will guide you through importing the certificate.

2 of 6

2/20/2013 2:58 AM

UTM: Configuring SonicWALL DPI-SSL with Application Firewall

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=836...

Firefox: Go to Tools > Options, click the Advanced tab and then the Encryption tab. Click View Certificates, select the Authorities tab, and click Import. Select the certificate file, make sure the Trust this CA to identify websites check box is selected, and click OK.

Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

Configuring Application Firewall

Application Firewall is license based. You can view the status of your license at the top of the Application Firewall > Policies page. You must enable Application Firewall to activate its functionality.

Defining an Application Object

Navigate to the Application Firewall > Policies page. Check the box under Enable Application Firewall. Navigate to the Application Firewall > Application Objects page Click on the Add New Object button In the Edit Applicable Firewall Object window, enter information as per the screenshot. Click on OK to save.

3 of 6

2/20/2013 2:58 AM

UTM: Configuring SonicWALL DPI-SSL with Application Firewall

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=836...

Note: You could add more extension for other file types to the application object we created.

Defining an Action - Disable Email Attachment

Navigate to Application Firewall > Actions page. Click on Add New Action. Enter the following information: Action Name: no attachment Select BDisable E-mail Attachment - Add Text under Action. Under Content enter some text to be sent to the receiver. Click on OK to save.

Creating an Application Firewall Policy

Navigate to the Application Firewall > Policies page. Create 2 new policies with the following information and click on OK to save.

4 of 6

2/20/2013 2:58 AM

UTM: Configuring SonicWALL DPI-SSL with Application Firewall

if i, from my office account will, sends an email with one of those attachments-those attachments will be removed.

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=836...

same for incoming emails

when i am sending an email to outside

when someone from outside is sending me an email i.e i am receiving an email

How to Test:
To test this scenario send a mail from your POP or mail server account with one of the attachments listed under the application object created. Similarly send yourself a mail from another account with one of the blocked attachments. Make sure the incoming and outgoing mail server port numbers are SSL enabled. For the purpose of this article we use Outlook Express configured with a Gmail POP account.
in the outlook 2007 tools>account settings>change>more settings>advanced here you will see SMTP and POP3 ports which check boxes to enable secure connection if secure connection(SSL or TLS) is not enabled then Application Firewall will , ANYWAYS, be able to block(or take whatever action specified) the emails. if secure connection((SSL or TLS) is checked(make sure it is checked for both smtp and pop3) then we will need DPI SSL> Client SSL

smtp over ssl pop3 over ssl

You should see alerts similar to the ones shown below in the log.

5 of 6

2/20/2013 2:58 AM

UTM: Configuring SonicWALL DPI-SSL with Application Firewall

https://www.fuzeqna.com/sonicwallkb/consumer/kbdetail.asp?kbid=836...

See Also:
UTM: SonicOS Enhanced 5.6 DPI-SSL Feature Module (PDF)

Related Items
UTM: SonicOS Enhanced DPI-SSL Feature Module (5.6 onwards)(PDF)

KBID Date Modified Date Created

8366 7/6/2012 9/24/2010

6 of 6

2/20/2013 2:58 AM