SonicWall: How to configure SSL/TLS Inspection on SonicWall firewall

Overview

The article shows how to configure the SSL/TLS Inspection feature on the SonicWall firewall device. This feature helps to check all outbound Internet traffic, which helps to manage the entire network activity, as well as check and detect malicious codes, viruses, ransomware installed through encryption traffic

Diagram

Steps of configuration

  • Enable and configure Decryption DPI-SSL
  • Download and install SSL Certificate on the user’s computer
  • Exclusion URLs that not understand by SSL Inspection

How to configure

Enable and configure Decryption DPI-SSL

  • Login to SonicWall firewall by Admin account
  • Go to POLICY -> Choose Settings -> Choose Decryption (DPI-SSL) -> Choose General
  • Enable SSL Client Inspection
  • Enable Always authenticate server for decrypted connections
  • Enable Allow SSL without decryption (bypass) when connection limit exceeded
  • Enable Audit new default exclusion domain names prior to being added for exclusion
  • Enable Always authenticate server before applying exclusion policy

Click Accept

Download and install SSL Certificate on the user’s computer

  • Go to tab Certificate -> Click Download
  • On the user’s computer -> In search box enter mmc -> Choose File -> Click Add/Remove Snap-in…
  • Choose Certificates -> Click Add
  • Choose Computer account -> Click Next
  • Choose Local computer -> Click Finish -> Click OK
  • Choose Certificates -> Choose Trusted Root Certification Authorities -> Right click in Certificates -> Click All Tasks -> Choose Import..
  • Click Next -> Click Browse and choose the certificate file that was downloaded before -> Click Next
  • Click Next -> Click Finish
  • Check the import certificate

Exclusion URLs that do not understand by SSL Inspection

** When using SSL Inspection, there will be some applications that we fail to use, the reason is SonicWall cannot understand and decrypt the traffic connecting to the servers of those application, so we will trust the traffic to bypass the decryption

  • Go to OBJECT -> Choose Websites -> Click Add
  • Enter name
  • Enter URL that you want to bypass
  • Go to Website Groups -> Click Add
  • Enter name
  • Choose Object Website -> Click > icon -> Click Save
  • Go to POLICY -> Choose Decryption Policy -> Click Add
  • Enter name
  • In Action: Choose Bypass
  • In Source Address: Choose LAN Subnets
  • In Destination Address: Choose Any
  • Move to tab URL
  • In Website: Choose Website Group that was created before

-> Click Add

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.