Sonicwall DPI-SSL or CFS HTTPS?

danhaddad · 2016-07-12T22:50:00.000Z

We currently have Sonicwall CFS deployed. We need to start filtering some HTTPS tracking as well (email, the typical stuff). Is there a recommendation as to use DPI-SSL, or the HTTPS feature in CFS? I’ve tried DPI SSL in the past before and it always gave me problems…

About our environment:

We are only concerned about users on network workstations (LAN zone)
Currently all users login via AD, and then are authed by SSO and assigned to CFS group accordingly.
Looking to filter traffic only from the LAN zone, however we have some servers that reside on LAN as well; i believe in the past that is where we ran into some issues with some of their traffic getting disrupted.
Is it possible to setup the “Exclude” for networks, to say ALL, and then just set the Users to “Include Alll LDAP”

nickcasagrande · 2016-07-13T13:29:49.000Z

watching this as we need to implement dpissl as well. i know a few things about it. with IE the GPO works really good, however with chrome and firefox it is more involved to get it working.

danhaddad · 2016-07-13T14:20:47.000Z

Nick, are you using CFS currently? Do you have HTTPS enabled in the CFS?

I get that using the HTTPS portion of CFS just breaks the TCP connection (so user gets a bad error screen as opposed to a blocked error screen) ; however does DPI-SSL offer any other benefits above displaying nice error screens?

All of our workstations are on a DHCP scope from the firewall, maybe it would make sense to start with just that scope as “included” in the DPI, however the “Exclude” on the DPI settings cant be set to “All”; its a bit confusing.

nickcasagrande · 2016-07-13T16:52:22.000Z

we are using cfs, but dont know if it is https enabled, i believe it is though as we filter a bunch of content, porn, guns, etc, etc. dpi-ssl is needed to scan for malware within ssl from what i understand so it does a man in the middle certificate swap to reach inside the packet and inspect everything (ie crypto and such). it will drive up your cpu usage alot if your users are on alot of ssl sites, which more are converting too everyday. this is the reason why i bought an nsa5600 to handle it all for 150 users.

japalm · 2016-07-23T12:39:24.000Z

SonicWALL has made major improvements on the DPI-SSL front with some of the newer firmwares. It is still not a “Set It & Forget It” feature, but is less painful now and a lot easier to get dialed in.

It is also possible to specify what devices are “Included” and/or “Excluded”. This is necessary in order to manage SSL connection counts which will vary depending on hardware. What model SW do you have?

We’ve had a lot of recent success in deploying this with our customers. I’m also running it at home on my SW and have it dialed in and working great.