WatchGuard Deep Packet Inspection (DPI)

Everyone knows that you should use a secure website, also known as HTTPS, when processing any transactions online to avoid security issues and possible stolen credit card data.  The problem with HTTPS websites is that due to its secure nature this type of connection can also cause you to get infected with root kits, malware, or ransomware such as Cryptowall and Locky.  This is because HTTPS bypasses malware scanners. 

The issue you can run into is that when you use HTTPS websites, the traffic is not able to be scanned through the WatchGuard firewall or locally installed virus software natively.  This is due to thefact that the connection is restricted between you and the remote computer, thus not allowing scanners to see what is happening.  So, bad actors are now creating secure websites to download the virus to your computer, bypassing the firewall and other scanners!  They are using the very technology that is supposed to keep you safe against you.

You may have heard of DPI, or maybe you even tried to enable this in the past with bad or mixed results.  This is a common problem if the WatchGuard Firebox is not properly configured or the policies need some tweaking.  I am here to tell you that these issues should not deter you and it is vital that this inspection is enabled for security.  The key to any network change is you go slow and are diligent with a select few users (patient ones) so that the tweaks get worked out before enabling on a mass scale across the network.

The first thing to discuss is that you have to use an SSL certificate generated on the firewall itself.  This certificate will need to be installed on all of your Windows and Mac devices.  Your computer needs to inherently trust the firewall and to do that, you need to install this self signed certificate.   We will cover how to get the certificate exported and installed in a later BLOG Post, so make sure you are subscribed.

Next, your WatchGuard firewall has a feature on it called DPI that is embedded into the HTTPS Proxy Policy.  The settings allow you to bypass this inspection for certain websites if needed when they don’t play nice.  For example, when we enabled this at our office we had an issue with iMessage for Apple so we had to add in a bypass for *.apple.com to solve that problem.  We also found that web meeting sites such as WebEx didn’t like the inspection, so we had to bypass that.  But for the most part every site we tested is working.  It just required some patience and testing.  We started with one user, then two, then everyone.  Once we rolled out to everyone we just needed to make a couple final tweaks and then it was good to go.

WatchGuard Deep Packet Inspection (DPI)
WatchGuard Deep Packet Inspection (DPI)
WatchGuard Deep Packet Inspection (DPI)

Using the WatchGuard firewall and servers you already have, we can enable the ability to scan inside of HTTPS traffic and greatly improving your security.  It just takes some configuration on your network and server.  And, as an added bonus, this will work on both Windows or Mac computers.