Hi Jean-Pier. Thanks for the video. I used it to get us up-and-running with DPI-SSL and CFS! In the process, I also learned about UDP 443, Quic protocol. It appears our NSA-4700 is not capable at the moment of inspecting UDP 443. As a result, content filtering was not working on those sites. For example, web sites hosted on Cloudflare. As a workaround, we are now blocking UDP 443 outbound forcing sites to switch to TCP 443. Do you know about this and do you know what Sonicwall's plans are to include UDP 443 in DPI-SSL?
The former root CA is recorded in the browser cache. If you switch to a private CA like the built in DPI SSL CA the connection will not be trusted until every user clears their browser cache. I wonder if others can confirm. We had no special browser security hardening and DPI SSL was not working without clearing the browser cache (testing with private mode works also).
Followed the steps but when I web browse on the test computer (with the certificate installed) it never uses the sonicwall cert, so I don't think it's working on my nsa4700.
If all set peoperly, 2 possibilities comes to mind: 1: the browsing is cashed. Clear the cash and try again. 2: the web site you try is using Google QUIC. Block UDP/443 in the firewall and try again.
Excellent video. Does having enterprise endpoint AV with Network Protection essentially eliminate the benefits of the firewall-level inspection? After following your steps, when testing certs in browsers as you did, it shows the business anti-virus software's cert not the Sonicwall cert. This is a major enterprise endpoint AV product, and it provides endpoint "Network Protection" and by default "Scan SSL" is enabled. The firewall does show current & peak DPI-SSL counts. Does this mean the firewall is still inspecting, even though the enterprise AV is also doing this at the endpoint?
Thanks Kelly. I would never, ever, remove the firewall due to a good antivirus. To me, your AV is your last layer of defence. And keep in mind, your AV is not installed in every network enabled device. Those are just a couple reason to keeping firewall. For your DPI-SSL question, I suspect the firewall perform inspection and re-encrypt everything with the sonicwall cert. then your endpoint AV perform the same. Easy way to try it: block “cars” website with CFS on the firewall and try going to www.ford.com If you get the CFS deny web page, DPI-SSL is working. If you get a time out in your browser, DPI-SSL is probably not working. Reason been: CFS blockage on https will simply drop packets if you do not have DPISSL, and will give you a deny message if you do have DPI-SSL.
@@JeanPierTalbot Wow - thanks for the quick and detailed reply! So it seems from what you are saying that it is still a good idea/ok to include DPI-SSL scanning on workstations that also have SSL inspection happening at their endpoint? I like having both the firewall (with all of its capabilities) scanning in addition to the endpoint AV unless that is crazy.... thanks again!
@@JeanPierTalbot So I tested as you suggested: Enabled a couple CFS categories to block on a host PC whose IP is included in DPI-SSL. It did not block anything, although the DPI-SSL status indicates sessions were being processed. So I guess the decision to make is: Do I exclude my PC's from DPI-SSL since my endpoint AV is handling it, but let everything else go thru DPI-SSL, *OR* do I remove the SSL scan feature in the endpoint AV so that I have full visibility/Sonicwall features via DPI-SSL? I don't know there is a "right" answer but it appears I can't perform DPI-SSL on a PC that already has endpoint software that is doing it and replacing the cert.... thanks again for any comments!
Every time we have tried to implement this, it has created periodic problems. For example, some government / state websites (Attorneys) or financial websites (Accountants), or even logging into banks, or using their web based credit card processing systems will not work. The certificate import into browsers can be (False positive) seen by the web host as a "Man In The Middle" attack and deny connection. Also what about printers / copiers that need to scan to email? Devices / peripherals that connect to vendor sites for firmware updates? So many issues with using the DPI SSL I would love to have solutions for.
There is no magic. Dpi-ssl can be difficult to turn on. It WILL create issues. That’s why I mentioned in the video to try with one employee in one département and to move on with more people. There is no magic, we are trying to break something encryption has been designed to prevent…. It’s doing the be the same challenge with any firewall vendor. I love the « show connection failure » button sonicwall has. Make this implementation less painful.
Another great video. I use DPI-SSL at my sites but to confirm, without the security subscriptions being active - does DPI really check anything useful without GAV, IPS, etc being licensed?
Great video. Excellent pacing. I'm assuming FireFox has changed their default behavior regarding windows certs, as I didn't need to do anything special for that browser to use the manually installed cert.
after Enable the DPI SSL , there is No Packet Inspect its show the Status like Current DPI-SSL connections (cur/peak/max) 0 / 0 / 200000, any think i need to do NSA 3700
Helpful videos - Thanks. What SonicWall are you using it this video? I just went from a 2650 to a TZ670 and see max DPI-SSL on the 670 is 30,000. On the 2650 is it 60,000. What is it on the 2700? The one in this video shows 75,000
@@JeanPierTalbot thanks. I am using a 670 and my max connection is shown as 30,000 where yours is the 75,000 (time 18:30). Could this be a firmware setting?
@@JeanPierTalbot What firmware were you running? I have SonicOS 7.0.1-R1262 and it shows 30000. Maybe it is a bug in the latest FW. If you are running the latest, can you check? I submitted a ticket too.
Any advice for someone trying to turn on DPI-SSL for a small network without active directory? What would be your best suggestion for getting the self signed certificate to all machines?
I personally suggest having your guest wifi on a different network and ensure they have no access to any of your internal networks. Because you are right, you can’t do DPI-SSL on what wifi… so yes, they might infect themselves, but they are not your corporate devices and don’t have any access to your networks… so no issues :-)
Could be a few things. 1: website cashed in your browser. Try a browser you never ever use, like edge :-) or try a website you never visited. 2: some website use the protocol QUIC which is working on UDP/443 and that bypass DPISSL. (Often seen on Google stuff, like RUclips) try a none-Google website. Like ford.com. See if the issue is resolved. If so, in the firewall, block outbound traffic on UDP/443. That will force your browser to use TCP/443 and go through DPISSL 3: yes you might have set it up wrong :-) if the above 2 don’t solve it. Then you can call sonicwall support
Do you have any recommendations for companies using Azure Active Directory only? Smaller companies may select to use Azure AD instead of dedicated domain controllers. Would Azure AD Domain Services fill that need?
Yes, it’s one of the great features of centrally managing firewalls through NSM. It offers the same UI no matter what generation of firewall people are managing
Generally speaking phones are not corporate device. So you don’t have control of their security. I would personally advice keeping them off of your network by creating another SSID and putting them on a separate VLAN. Reason is that most iPhone apps I tested don’t work even if I imported the certificate, they want their certificate or they just don’t work. So if the devices are not yours, they are on a different vlan with no access your your network, I would not be worried of not having DPI-SSL…
Hi, followed every single instruction, exported and installed DPI-SSL cert but it doesn't show up in chrome or any other browser. can you please help UPDATE: it worked after I selected all categories under CFS Category-based inclusion/Exclusion.
If you excluded all categories you pretty much disabled all DPI-SSL. If the cert does not show up in your browser, that means the cert import didn’t work. If you used GPO like I showed, you might have an AD issue where GPO don’t get pushed.
Recently picked up the new TZ570 for my home lab. Looking forward to more videos from you!
It was crisp & clear to understand
great video!! And damn, that is a SERIOUS MONITOR!!!
😂
Hi Jean-Pier. Thanks for the video. I used it to get us up-and-running with DPI-SSL and CFS! In the process, I also learned about UDP 443, Quic protocol. It appears our NSA-4700 is not capable at the moment of inspecting UDP 443. As a result, content filtering was not working on those sites. For example, web sites hosted on Cloudflare. As a workaround, we are now blocking UDP 443 outbound forcing sites to switch to TCP 443. Do you know about this and do you know what Sonicwall's plans are to include UDP 443 in DPI-SSL?
Il not aware of any firewall capable of inspecting Google quic. So yeah, block udp443 and you are good to go!
Excellent video. Thanks.
Connection problem with ANYDESK DPI-SSL solution please
The former root CA is recorded in the browser cache. If you switch to a private CA like the built in DPI SSL CA the connection will not be trusted until every user clears their browser cache. I wonder if others can confirm. We had no special browser security hardening and DPI SSL was not working without clearing the browser cache (testing with private mode works also).
Hi JP! Could you perhaps make a video on configuring SonicWall Analytics? My organization is interested in using it for report generation.
Eventually yes. :-)
Amazing video! Please do another one about DPI-SSL Server side. Thank you
Followed the steps but when I web browse on the test computer (with the certificate installed) it never uses the sonicwall cert, so I don't think it's working on my nsa4700.
If all set peoperly, 2 possibilities comes to mind:
1: the browsing is cashed. Clear the cash and try again.
2: the web site you try is using Google QUIC. Block UDP/443 in the firewall and try again.
Excellent video. Does having enterprise endpoint AV with Network Protection essentially eliminate the benefits of the firewall-level inspection? After following your steps, when testing certs in browsers as you did, it shows the business anti-virus software's cert not the Sonicwall cert. This is a major enterprise endpoint AV product, and it provides endpoint "Network Protection" and by default "Scan SSL" is enabled. The firewall does show current & peak DPI-SSL counts. Does this mean the firewall is still inspecting, even though the enterprise AV is also doing this at the endpoint?
Thanks Kelly.
I would never, ever, remove the firewall due to a good antivirus. To me, your AV is your last layer of defence. And keep in mind, your AV is not installed in every network enabled device. Those are just a couple reason to keeping firewall.
For your DPI-SSL question, I suspect the firewall perform inspection and re-encrypt everything with the sonicwall cert. then your endpoint AV perform the same.
Easy way to try it: block “cars” website with CFS on the firewall and try going to www.ford.com
If you get the CFS deny web page, DPI-SSL is working. If you get a time out in your browser, DPI-SSL is probably not working. Reason been: CFS blockage on https will simply drop packets if you do not have DPISSL, and will give you a deny message if you do have DPI-SSL.
@@JeanPierTalbot Wow - thanks for the quick and detailed reply! So it seems from what you are saying that it is still a good idea/ok to include DPI-SSL scanning on workstations that also have SSL inspection happening at their endpoint? I like having both the firewall (with all of its capabilities) scanning in addition to the endpoint AV unless that is crazy.... thanks again!
@@JeanPierTalbot So I tested as you suggested: Enabled a couple CFS categories to block on a host PC whose IP is included in DPI-SSL. It did not block anything, although the DPI-SSL status indicates sessions were being processed. So I guess the decision to make is: Do I exclude my PC's from DPI-SSL since my endpoint AV is handling it, but let everything else go thru DPI-SSL, *OR* do I remove the SSL scan feature in the endpoint AV so that I have full visibility/Sonicwall features via DPI-SSL? I don't know there is a "right" answer but it appears I can't perform DPI-SSL on a PC that already has endpoint software that is doing it and replacing the cert.... thanks again for any comments!
Every time we have tried to implement this, it has created periodic problems. For example, some government / state websites (Attorneys) or financial websites (Accountants), or even logging into banks, or using their web based credit card processing systems will not work. The certificate import into browsers can be (False positive) seen by the web host as a "Man In The Middle" attack and deny connection. Also what about printers / copiers that need to scan to email? Devices / peripherals that connect to vendor sites for firmware updates? So many issues with using the DPI SSL I would love to have solutions for.
There is no magic. Dpi-ssl can be difficult to turn on. It WILL create issues. That’s why I mentioned in the video to try with one employee in one département and to move on with more people.
There is no magic, we are trying to break something encryption has been designed to prevent…. It’s doing the be the same challenge with any firewall vendor. I love the « show connection failure » button sonicwall has. Make this implementation less painful.
Another great video. I use DPI-SSL at my sites but to confirm, without the security subscriptions being active - does DPI really check anything useful without GAV, IPS, etc being licensed?
Another Great Video .. Thanks Brother
Love this video! Tanks!
Great content
Great video. Excellent pacing. I'm assuming FireFox has changed their default behavior regarding windows certs, as I didn't need to do anything special for that browser to use the manually installed cert.
Hum. Good to know. So Firefox would now use the windows cert like IE and chrome. Cool
Hi Jean!
Is it good practice enable DPI for an Guest Zone?
Or is recommended to enable just for LAN zones?
Excellent video!
I would not do DPI-SSL on a guest wifi. Will be a nightmare to ask all customers to install a cert
after Enable the DPI SSL , there is No Packet Inspect its show the Status like
Current DPI-SSL connections (cur/peak/max) 0 / 0 / 200000, any think i need to do NSA 3700
Helpful videos - Thanks. What SonicWall are you using it this video? I just went from a 2650 to a TZ670 and see max DPI-SSL on the 670 is 30,000. On the 2650 is it 60,000. What is it on the 2700? The one in this video shows 75,000
I’m using a tz670.
Here is the data sheet for the new tz. www.sonicwall.com/medialibrary/en/datasheet/sonicwall-tz-series-gen-7.pdf
@@JeanPierTalbot thanks. I am using a 670 and my max connection is shown as 30,000 where yours is the 75,000 (time 18:30). Could this be a firmware setting?
@@JeanPierTalbot What firmware were you running? I have SonicOS 7.0.1-R1262 and it shows 30000. Maybe it is a bug in the latest FW. If you are running the latest, can you check? I submitted a ticket too.
How about DPI SSH ?
Any advice for someone trying to turn on DPI-SSL for a small network without active directory? What would be your best suggestion for getting the self signed certificate to all machines?
Manually
How do you handle DPI-SSL for guest wifi networks where they don't download a SW cert?
I personally suggest having your guest wifi on a different network and ensure they have no access to any of your internal networks. Because you are right, you can’t do DPI-SSL on what wifi… so yes, they might infect themselves, but they are not your corporate devices and don’t have any access to your networks… so no issues :-)
When I check certificate on a website, it shows their certificate not mine. Not set up right? Really appreciate the videos, Jean-Pier.
Could be a few things.
1: website cashed in your browser. Try a browser you never ever use, like edge :-) or try a website you never visited.
2: some website use the protocol QUIC which is working on UDP/443 and that bypass DPISSL. (Often seen on Google stuff, like RUclips) try a none-Google website. Like ford.com. See if the issue is resolved. If so, in the firewall, block outbound traffic on UDP/443. That will force your browser to use TCP/443 and go through DPISSL
3: yes you might have set it up wrong :-) if the above 2 don’t solve it. Then you can call sonicwall support
Do you have any recommendations for companies using Azure Active Directory only? Smaller companies may select to use Azure AD instead of dedicated domain controllers. Would Azure AD Domain Services fill that need?
Yes :-)
@@JeanPierTalbot I need to 'buy a vowel' here - can you share them or point me in the right direction?
@ time stamp 4:52 you see it says tz500 with the gen 7 GUI???
Yes, it’s one of the great features of centrally managing firewalls through NSM. It offers the same UI no matter what generation of firewall people are managing
Hi, great video, but how can i export the exclusion list, on the tab Common Name?
If there are no export button, you can probably export them in CLI.
But why do you want to export them?
Hi Sir Jean,
How about for phones/mobiles? Do we also need to install this in phones?
Thank you Sir.
Generally speaking phones are not corporate device. So you don’t have control of their security. I would personally advice keeping them off of your network by creating another SSID and putting them on a separate VLAN.
Reason is that most iPhone apps I tested don’t work even if I imported the certificate, they want their certificate or they just don’t work.
So if the devices are not yours, they are on a different vlan with no access your your network, I would not be worried of not having DPI-SSL…
Hi, followed every single instruction, exported and installed DPI-SSL cert but it doesn't show up in chrome or any other browser. can you please help
UPDATE: it worked after I selected all categories under CFS Category-based inclusion/Exclusion.
If you excluded all categories you pretty much disabled all DPI-SSL.
If the cert does not show up in your browser, that means the cert import didn’t work. If you used GPO like I showed, you might have an AD issue where GPO don’t get pushed.
@@JeanPierTalbot Cert got fixed after i pushed gpo. thank you
why you mention your contact if don't have time to reply back people
I don’t think I got an email from you.
dude is completely out of H's cant give an H even if he wanted, all out..