How to block HTTPS (SSL) sites using SonicWALL DPI-SSL and Content Filter Service (CFS) (SW8282)

  • Title

    How to block HTTPS (SSL) sites using SonicWALL DPI-SSL and Content Filter Service (CFS)
  • Resolution

    Article Applies To:

    Services: DPI SSL, CFS


    Deep Packet Inspection of Secure Socket Layer (DPI-SSL) extends SonicWALL’s Deep Packet Inspection technology to allow for the inspection of encrypted HTTPS traffic and other SSL-based traffic. The SSL traffic is decrypted transparently, scanned for threats and then re-encrypted and sent along to its destination if no threats or vulnerabilities are found. DPI-SSL provides additional security, application control, and data leakage prevention for analyzing encrypted HTTPS and other SSL-based traffic.

    The following security services and features are capable of utilizing DPI-SSL:

    • Gateway Anti-Virus
    • Gateway Anti-Spyware
    • Intrusion Prevention
    • Content Filtering
    • Application Firewall
    • Packet Capture
    • Packet Mirror

    Normally, without DPI-SSL, HTTPS traffic cannot be blocked by SonicWALL Security Services. However, with SonicWALL DPI-SSL feature, the SSL traffic is decrypted by the SonicWALL for inspection, thus enabling SonicWALL to inspect traffic and enforce any Security Services prevention on it.  This article describes how to block using SonicWALL Content Filtering when DPI-SSL is enabled. 


    Enabling DPI-SSL Client Inspection for Content Filter

    In this section we will enable DPI-SSL Client Inspection. The Client DPI-SSL deployment scenario typically is used to inspect HTTPS traffic when clients on the LAN browse content located on the WAN.

    For the purpose of this article we will be using Default SonicWALL DPI-SSL Certificate Authority (CA) Certificate as the re-signing authority. Users should be instructed to add the certificate to their browser’s trusted list to avoid certificate trust errors.

    • Login to the SonicWALL Management GUI
    • Navigate to DPI-SSL and click on Client SSL.
    • On the Client SSL page, check the box under Enable SSL Client Inspection.
    • Check the box under Content Filter.

    Now that DPI-SSL Client Inspection is enabled, SonicWALL will be able to apply Content Filter policies on the clear-text portion of the SSL encrypted payload passing through it.

    Additing Trust to the Browser

    To avoid certificate trust errors and to enable the re-signing certificate authority to successfully re-sign certificates, browsers would have to trust this certificate authority. Such trust can be established by having re-signing certificate imported into the browser's trusted CA list.

    In the DPI-SSL > Client SSL page, click on the (download) link to download the Default SonicWALL DPI-SSL Certificate Authority (CA) Certificate.

    To import the certificate into a browser, do the following:

    • Internet Explorer: Go to Tools > Internet Options, click the Content tab and click Certificates.
      Click the Trusted Root Certification Authorities tab and click Import. The Certificate Import
      Wizard will guide you through importing the certificate.
    • Firefox: Go to Tools > Options, click the Advanced tab and then the Encryption tab. Click View
      Certificates, select the Authorities tab, and click Import. Select the certificate file, make sure the
      Trust this CA to identify websites check box is selected, and click OK.

    • Mac: Double-click the certificate file, select Keychain menu, click X509 Anchors, and then click OK. Enter the system username and password and click OK.

    Configuring SonicWALL Content Filter

    • Navigate to the Content Filter page.
    • Click on Configure.
    • In the SonicWALL Filter Properties window, uncheck Enable IP based HTTPS Content Filtering
    • Click on the Custom List tab.
    • Click on Add under Forbidden Domains.
    • Enter under Domain Name and click  OK.
    • Click on OK to save the settings. {In this scenario we will be using only the Default CFS policy.}
    • Navigate to Network > Zones.
    • Click on the configure button under the LAN zone.
    • Check the box under Enforce Content Filtering Service.{If CFS needs to be enabled on other zones, check the appropriate box under each zone }


    How to Test:

    Open a web browser and enter
    A CFS blocked page will appear as under. {If this is being done from the same computer as the one which is logged into the SonicWALL Management GUI, make sure you are logged out before testing.}


    See Also:

    UTM: SonicOS Enhanced 5.6 DPI-SSL Feature Module (PDF)

Feedback submitted.

Did this article help?

[Select Rating]

Thank you for your rating!


Request or Create a KB Article »

SonicWALL NSA Series
5000, 4500, 3500, 250MW, 250M, 2400, 220W
SonicWALL E-Class NSA Series
E8510, E8500, E7500, E6500, E5500

Technical Solutions

Article History:
Created on: 8/18/2010
Last Update on: 1/21/2015