HTTPS Content Filtering in SonicWall CFS and Office 365 / Outlook 2016

When I enable HTTPS Content Filtering in our SonicWall CFS, connectivity to Office 365 breaks very slowly. It might be fine for awhile, but randomly some users start to have Outlook issues where it says "trying to connect" at bottom of Outlook but eventually it says "disconnected", and then no mail comes down.

I have added all domain names listed here and here to the Allowed Domains list, in every permutation like https://, *., and just as shown on those links, but Outlook still slowly fails. To get everybody back up running, I have to go back into the CFS and disable HTTPS Content Filtering.

Ideas?
pkromerAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

masnrockCommented:
Are you using app controls as well?
0
pkromerAuthor Commented:
No app controls, Im using CFS Policy Assignment via User and Zone Screens.
0
pkromerAuthor Commented:
btw, we need the https filtering to block sites like Facebook, Twitter, and any other sites that uses https that gets around the normal forbidden domains list. If any of you know how we can achieve that end without https filtering, that would solve this also.
0
KuppingerCole Reviews AlgoSec in Executive Report

Leading analyst firm, KuppingerCole reviews AlgoSec's Security Policy Management Solution, and the security challenges faced by companies today in their Executive View report.

Blue Street TechLast KnightCommented:
Hi pkromer,

What is the SonicWALL Model and firmware running?

...every permutation like https://, *.,
This can cause false/positives and undesired behavior so remove them and just include the permutation exactly how it is listed domain - in many of the cases you can trust the domain over explicitly keying in the subdomian because the domain will automatically wildcard everything below it.

Do you have SSL-DPI running? If not I'd strongly recommend it and is a much better method for executing CFS via HTTPS. CFS via HTTPS filtering is different than HTTP CFS...and uses IPs & hostnames opposed to being able to perform redirects to enforce authentication or provide a block page.

If you are running multiple CFS policies I'd recommend putting the exclusions in the Global Policy opposed to Per Policy in CFS 3.0. In CFS 4.0 make sure each policy in each Zone required for Office 365 includes the updated exclusions list.

Let me know once you have applied the changes.
0
Blue Street TechLast KnightCommented:
btw, we need the https filtering to block sites like Facebook, Twitter, and any other sites that uses https that gets around the normal forbidden domains list. If any of you know how we can achieve that end without https filtering, that would solve this also.
You can achieve this in a more granular approach if needed with App Control Advanced too. Filter - Category: Social Networking; Application: Facebook and set to block, which will block all Facebooks activities. Do the same for Twitter and any other social media you want to block.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
pkromerAuthor Commented:
SonicWall NSA 2400, firmware SonicOS Enhanced 5.9.1.10-1o.
0
pkromerAuthor Commented:
We are running multiple policies but all allowed and forbidden domains are in the global policy, and each sub-policy is set to get those from global.
0
Blue Street TechLast KnightCommented:
SonicWall NSA 2400, firmware SonicOS Enhanced 5.9.1.10-1o.
You should upgrade to the 6.2 or 6.5 leg as they both provide major security improvements & bug fixes. 6.2 is the requirement for running SSL-DPI as well.

We are running multiple policies but all allowed and forbidden domains are in the global policy, and each sub-policy is set to get those from global.
OK good.
0
pkromerAuthor Commented:
"You can achieve this in a more granular approach if needed with App Control Advanced too. Filter - Category: Social Networking; Application: Facebook and set to block, which will block all Facebooks activities. Do the same for Twitter and any other social media you want to block."

To do that would I need to switch from CFS Policy Assignment via User and Zone Screens to Via App Rules?
0
pkromerAuthor Commented:
Just realized that to get to App Control Advanced I have to deal with SPI connections setting because I had to change it a couple days ago for browser reasons to get the firmware updated to what it is. Now I need to change it back and reboot the firewall, which I can't do for 4 more hours. Krap. I'll do that and then we can continue this whenever you can next if that is ok with you.
0
Blue Street TechLast KnightCommented:
To do that would I need to switch from CFS Policy Assignment via User and Zone Screens to Via App Rules?
No, App Control is an entirely separate engine. There is some overlap but by design. You can move to App Rules for your CFS deployment for faster processing but I'd hold off until you upgrade to SonicOS 6.2 because then you will be using CFS 4.0 instead of CFS 3.0, which is different in terms of how it executes CFS and managing it as well. When you upgrade, everything will cross over just fine so you don't have to worry about that.

...SPI connections setting because I had to change it a couple days ago for browser reasons to get the firmware updated to what it is.
Are you talking about the self-signed certificate vulnerability of SHA1 and needing to manage the device by downgrading the browser security to SSLv2.0/3.0?

Now I need to change it back and reboot the firewall, which I can't do for 4 more hours. Krap. I'll do that and then we can continue this whenever you can next if that is ok with you.
Sounds good. I'm here for you!
0
pkromerAuthor Commented:
"Are you talking about the self-signed certificate vulnerability of SHA1 and needing to manage the device by downgrading the browser security to SSLv2.0/3.0?"

I changed Firewall advanced settings > Connections to Maximum SPI Connections (DPI services disabled) from DPI Connections (DPI services enabled with additional performance optimizations) because yes, Chrome wouldn't open the firewall. I was previously using an old version of IE to admin the unit, which was dumb.

"Sounds good. I'm here for you!"

Thanks very much.
0
Blue Street TechLast KnightCommented:
Yes, so upgrading the SonicOS will change the hashing cipher from SHA1 (officially insecure) to SHA256 but you will need to regenerate the certificate in order to change the certs in System > Administration section. Once you do that then you will be able to use all Modern Browsers to manage the SonicWALL. Modern browsers along with the rest of the world view SHA1 as a security vulnerability since 01/01/2017.

Once you do that enable Maximum DPI Connections (DPI services enabled) - its a baseline security fundamental you need in order to protect your network. The only reason you would want to move to DPI Connections (DPI services enabled with additional performance optimizations) is if the SonicWALL is maxing out in its performance, which you can view System > Status section under CPUs: & Connections: (Peak/Current/Max) among others places.
0
pkromerAuthor Commented:
Where / how do I regenerate the certificate, and where / how do I install it?
0
Blue Street TechLast KnightCommented:
This should really be another separate question because it doesn't directly address your question here, however, it is a beneficial byproduct of the SonicOS upgrade which will solve your issue in this question.

Nevertheless, to upgrade your cert here is what you do. Once you have installed the SonicOS update either 6.2 or 6.5 go to the System > Administration page and navigate to the Web Management Settings section. Next to Certificate Common Name: you should see a button labeled Regenerate Certificate. Once you click on that, then click Accept to save. Reboot the SonicWALL and verify the new cert has been implemented on the browser. When you examine the cert the old one will show SHA1 the new one will show SHA256. Once you have verified it is using SHA 256 you will be much more secure and able to use an modern browser for mgmt. For better security, ideally, I'd recommend procuring a third-party CA-signed cert instead of self-signed.

Let me know if you have any questions!
0
pkromerAuthor Commented:
App control... got that figured out, it works but how do I add another entry? I only have facebook blocked now but need to block a few more sites. See attached image.

btw, I have not upgraded the firmware or done any of the other stuff... I need to just get this part handled at this point. I definitely will follow your advice very soon after I get this done though.
2018-02-21_9-15-28.jpg
0
Blue Street TechLast KnightCommented:
Perfect! Now you can do the same tasks as you did for Facebook for the other sites you wish to block by pulling down the Application drop down menu and locating them accordingly.
0
pkromerAuthor Commented:
2 questions... why does the interface only show the last one you created? I have done 4 now, and I only see the most recent one I did. I don't see all 4 of them in a list. Also, Facebook and Twitter seem to be completely blocked, but MySpace and SnapChat are only partially blocked. Why would that be?
0
pkromerAuthor Commented:
Never mind that last part, SnapChat and MySpace are now fully blocked, no idea why there was a lag time. First question still stands though, it's weird that I cant see all the entries Ive added and makes me wonder if theyre going to stay in effect.
0
Blue Street TechLast KnightCommented:
I'm not sure I follow...what is not showing exactly? Those are just views you can adjust them to see whatever you desire.

Also, if you wish to block all Social-Networking apps just configure it once by clicking the Configure icon next to the Category rather than going through each one. It saves a lot of time.
0
pkromerAuthor Commented:
Attached is a screenshot of what I mean by it showing just the most recent site I blocked. Btw, I also just did what you said and went to the small pencil / edit image next to category social networking and enabled blocking, which I assume is what you mean by not having to do each one separately.
2018-02-21_11-04-42.jpg
0
Blue Street TechLast KnightCommented:
Yes, exactly. That way the entire category is blocked.

OK, so the View By: is your first filter. Right now you have it set to Applications, which is why it is showing this on the Application level.
Hierarchically is goes like this:
  • Category
  • Application
  • Signature

Then you have the Application: filter, which right now you have selected SnapChat, however if you want to see all the Applications within the Category: Social-Networking then select All on the drop-down next to Application:.

Lastly, if you want to see all the Categories then next to the Category: filter drop down select All to view all.

It takes a little while to get how it works but once you do its great!

Does that make sense?
0
pkromerAuthor Commented:
Hey, I wrote a comment to you before closing the question and It's not here. Anyway, I said you are probably the most helpful and attentive expert Ive run across in all my years of using EE. Thanks very much.
0
Blue Street TechLast KnightCommented:
Wow, thank you so much for the great compliment! I'm glad I could help!!

P.S. I think the site may be having some issues...I have had to post twice a few times.
0
pkromerAuthor Commented:
ah, makes sense. Some of your posts have came in as two emails to me instead of one. EE needs to get on EE and find an expert to help them with their site... oh wait :-)
0
Blue Street TechLast KnightCommented:
LOL
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Office

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.