😂

Eventually yes. :-)

Thanks Kelly. I would never, ever, remove the firewall due to a good antivirus. To me, your AV is your last layer of defence. And keep in mind, your AV is not installed in every network enabled device. Those are just a couple reason to keeping firewall. For your DPI-SSL question, I suspect the firewall perform inspection and re-encrypt everything with the sonicwall cert. then your endpoint AV perform the same. Easy way to try it: block “cars” website with CFS on the firewall and try going to www.ford.com If you get the CFS deny web page, DPI-SSL is working. If you get a time out in your browser, DPI-SSL is probably not working. Reason been: CFS blockage on https will simply drop packets if you do not have DPISSL, and will give you a deny message if you do have DPI-SSL.

@@JeanPierTalbot Wow - thanks for the quick and detailed reply! So it seems from what you are saying that it is still a good idea/ok to include DPI-SSL scanning on workstations that also have SSL inspection happening at their endpoint? I like having both the firewall (with all of its capabilities) scanning in addition to the endpoint AV unless that is crazy.... thanks again!

@@JeanPierTalbot So I tested as you suggested: Enabled a couple CFS categories to block on a host PC whose IP is included in DPI-SSL. It did not block anything, although the DPI-SSL status indicates sessions were being processed. So I guess the decision to make is: Do I exclude my PC's from DPI-SSL since my endpoint AV is handling it, but let everything else go thru DPI-SSL, *OR* do I remove the SSL scan feature in the endpoint AV so that I have full visibility/Sonicwall features via DPI-SSL? I don't know there is a "right" answer but it appears I can't perform DPI-SSL on a PC that already has endpoint software that is doing it and replacing the cert.... thanks again for any comments!

I would not do DPI-SSL on a guest wifi. Will be a nightmare to ask all customers to install a cert

I’m using a tz670. Here is the data sheet for the new tz. www.sonicwall.com/medialibrary/en/datasheet/sonicwall-tz-series-gen-7.pdf

@@JeanPierTalbot thanks. I am using a 670 and my max connection is shown as 30,000 where yours is the 75,000 (time 18:30). Could this be a firmware setting?

@@JeanPierTalbot What firmware were you running? I have SonicOS 7.0.1-R1262 and it shows 30000. Maybe it is a bug in the latest FW. If you are running the latest, can you check? I submitted a ticket too.

If there are no export button, you can probably export them in CLI. But why do you want to export them?

Hum. Good to know. So Firefox would now use the windows cert like IE and chrome. Cool

Il not aware of any firewall capable of inspecting Google quic. So yeah, block udp443 and you are good to go!

Yes, it’s one of the great features of centrally managing firewalls through NSM. It offers the same UI no matter what generation of firewall people are managing

There is no magic. Dpi-ssl can be difficult to turn on. It WILL create issues. That’s why I mentioned in the video to try with one employee in one département and to move on with more people. There is no magic, we are trying to break something encryption has been designed to prevent…. It’s doing the be the same challenge with any firewall vendor. I love the « show connection failure » button sonicwall has. Make this implementation less painful.

If all set peoperly, 2 possibilities comes to mind: 1: the browsing is cashed. Clear the cash and try again. 2: the web site you try is using Google QUIC. Block UDP/443 in the firewall and try again.

Could be a few things. 1: website cashed in your browser. Try a browser you never ever use, like edge :-) or try a website you never visited. 2: some website use the protocol QUIC which is working on UDP/443 and that bypass DPISSL. (Often seen on Google stuff, like KZbin) try a none-Google website. Like ford.com. See if the issue is resolved. If so, in the firewall, block outbound traffic on UDP/443. That will force your browser to use TCP/443 and go through DPISSL 3: yes you might have set it up wrong :-) if the above 2 don’t solve it. Then you can call sonicwall support

I personally suggest having your guest wifi on a different network and ensure they have no access to any of your internal networks. Because you are right, you can’t do DPI-SSL on what wifi… so yes, they might infect themselves, but they are not your corporate devices and don’t have any access to your networks… so no issues :-)

Manually

Yes :-)

@@JeanPierTalbot I need to 'buy a vowel' here - can you share them or point me in the right direction?

Generally speaking phones are not corporate device. So you don’t have control of their security. I would personally advice keeping them off of your network by creating another SSID and putting them on a separate VLAN. Reason is that most iPhone apps I tested don’t work even if I imported the certificate, they want their certificate or they just don’t work. So if the devices are not yours, they are on a different vlan with no access your your network, I would not be worried of not having DPI-SSL…

If you excluded all categories you pretty much disabled all DPI-SSL. If the cert does not show up in your browser, that means the cert import didn’t work. If you used GPO like I showed, you might have an AD issue where GPO don’t get pushed.

@@JeanPierTalbot Cert got fixed after i pushed gpo. thank you

I don’t think I got an email from you.