User manual SONICWALL SONICOS ENHANCED 5.6 DPI-SSL

[. . . ] In the Client DPI-SSL scenario, the SonicWALL UTM appliance typically does not own the certificates and private keys for the content it is inspecting. After the appliance performs DPI-SSL inspection, it re-writes the certificate sent by the remote server and signs this newly generated certificate with the certificate specified in the Client DPI-SSL configuration. By default, this is the SonicWALL certificate authority (CA) certificate, or a different certificate can be specified. Users should be instructed to add the certificate to their browser's trusted list to avoid certificate trust errors. [. . . ] Click Apply. After the certificate has been imported, you must configure it on the Client DPI-SSL page: 1. 3. For help with creating PKCS-12 formatted files, see "Creating PKCS-12 Formatted Certificate File" on page 4. Adding Trust to the Browser In the previous section we described how to configure a re-signing certificate authority. In order for re-signing certificate authority to successfully re-sign certificates browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list. · Internet Explorer: Go to Tools > Internet Options, click the Content tab and click Certificates. Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import Wizard will guide you through importing the certificate. Firefox: Go to Tools > Options, click the Advanced tab and then the Encryption tab. Click View Certificates, select the Authorities tab, and click Import. Select the certificate file, make sure the Trust this CA to identify websites check box is selected, and click OK. Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK. · · Creating PKCS-12 Formatted Certificate File PKCS12 formatted certificate file can be created using Linux system with OpenSSL. In order to create a PKCS-12 formatted certificate file, one needs to have two main components of the certificate: 4 SonicOS 5. 6 - DPI-SSL Using DPI-SSL · · Private key (typically a file with . key extension or the word key in the filename) Certificate with a public key (typically a file with . crt extension or the word cert as part of filename). /etc/httpd/conf/ssl. key/server. key /etc/httpd/conf/ssl. crt/server. crt For example, Apache HTTP server on Linux has its private key and certificate in the following locations: · · With these two files available, run the following command: openssl pkcs12 -export -out out. p12 -inkey server. key -in server. crt In this example out. p12 will become the PKCS-12 formatted certificate file and server. key and server. crt are the PEM formatted private key and the certificate file respectively. After the above command, one would be prompted for the password to protect/encrypted the file. After the password is chosen, the creation of PKCS-12 formatted certificate file is complete and it can be imported into the UTM appliance. Client DPI-SSL Examples The following sections · · "Content Filtering" on page 5 "Application Firewall" on page 5 Content Filtering To perform SonicWALL Content Filtering on HTTPS and SSL-based traffic using DPI-SSL, perform the following steps: 1. 8. Navigate to the DPI-SSL > Client SSL page Select the Enable SSL Inspection checkbox and the Content Filter checkbox. Navigate to the Security Services > Content Filter page and click the Configure button. Navigate to a blocked site using the HTTPS protocol to verify that it is properly blocked. Note For content filtering over DPI-SSL, the first time HTTPS access is blocked result in a blank page being displayed. If the page is refreshed, the user will see the SonicWALL block page. Application Firewall Enable Application Firewall checkbox on the Client DPI-SSL screen and enable Application Firewall on the Application Firewall >Policies screen. 1. 5. Navigate to the DPI-SSL > Client SSL page Select the Enable SSL Inspection checkbox and the Application Firewall checkbox. [. . . ] The following sections describe how to configure Server DPI-SSL: · · · · "Configuring General Server DPI-SSL Settings" on page 6 "Configuring the Exclusion List" on page 7 "Configuring Server-to-Certificate Pairings" on page 7 "SSL Offloading" on page 8 Configuring General Server DPI-SSL Settings To enable Server DPI-SSL inspection, perform the following steps: 1. Select which of the following services to perform inspection with: Intrusion Prevent, Gateway Anti-Virus, Gateway Anti-Spyware, and Application Firewall. 6 SonicOS 5. 6 - DPI-SSL Using DPI-SSL 4. Scroll down to the SSL Servers section to configure the server or servers to which DPI-SSL inspection will be applied. See "Configuring Server-to-Certificate Pairings" on page 7. Configuring the Exclusion List By default, the DPI-SSL applies to all traffic on the appliance when it is enabled. [. . . ]