WatchGuard Deep Packet Inspection (DPI)

There is a growing trend when it comes to websites.  Many years ago, if you visited a site, you were most likely accessing it over HTTP (port 80).  This is considered basic web traffic, and can be monitored easily by firewalls.  As more and more of our day-to-day activities start to rely on Internet access, that trend has been changing to more sites using HTTPS (443).  This is because HTTPS encrypts the data, so sites like Amazon, Facebook, and your bank website can protect your personal or payment information.

While HTTPS sites in general are more secure, there’s another side of the issue.  Because these sites are encrypted, it is nearly impossible for a firewall, in its base configuration, to be able to review the data.  This wouldn’t be such a big issue, except for the fact that attackers know this.  The increase in ransomware, things like Cryptowall, Locky and BadRabbit, have been made worse because they are being distributed through HTTPS sites.  These attackers know that most firewalls can’t review all the data on an HTTPS site, so they use them to infect our networks.  We, assuming that HTTPS sites are safe, visit these sites without realizing the potential dangers lurking there.

The good news is that not all hope is lost when it comes to protecting ourselves from the potential dangers of unscanned HTTPS sites.  Your WatchGuard firewall is capable of scanning this HTTPS content completely, and at no extra licensing fee.  This feature, called Deep Packet Inspection (DPI), just has to be configured to ensure your HTTPS traffic is safe.  All that this feature relies on outside of your firewall is a trusted certificate that needs to be installed on your devices.  In the past, the setup Deep Packet Inspection has been daunting, leading many organizations to take the risk of not scanning their HTTPS traffic.  However, by following the steps below, you can enable the service easily, and rest easier knowing your network is fully protected.

Step 1: Deploy the Certificate

In order for your firewall to be able to properly review HTTPS traffic, it needs to be a trusted source.  This requires an SSL certificate.  The good news is that this certificate already resides on the firewall, so you don’t have to purchase anything extra.  The only thing you need to do is to deploy this certificate to the computers on your network so that they are also trusted sources. 

In order to get the certificate, log into your firewall and open Firebox System Manager.  Then go to View > Certificates.  Look for the Proxy Authority certificate, and export it.

WatchGuard SSL Certificate Screen

This certificate is what will need to be installed on the computers in your network.  You can install it manually, or can easily roll it out through Group Policy. 

NOTE: If you are going to roll it out through Group Policy, make sure to change the file extension to .cer

Step 2: Use a Test Group

In the HTTPS proxy, create a new Proxy Action.  This is where Deep Packet Inspection will actually be configured.  Once you are in the proxy action, click Edit in the top right.

WatchGuard Deep Packet Inspection Screen

Next, check the box for Enable Content Inspection, and click OK to go back to the Proxy Action window. 

WatchGuard Enable Content Inspection

This will enable the Deep Packet Inspection, but now you need to tell the firewall to actually filter your HTTPS traffic.  Look at the bottom of the Proxy Action window. 

Select Inspect for the action, and make sure to check the Log button.  Then, select the Proxy Action you are using for your HTTP traffic.  This will allow the firewall to filter HTTPS traffic, just like it is regular web traffic.

WatchGuard DPI Action

Step 4: DPI with WebBlocker

If you have WebBlocker enabled, next go to the WebBlocker tab in your Proxy Action.  Select the WebBlocker profile you want to use.  Check the top box for Select All.  At the bottom, again select the HTTP proxy action.

WatchGuard Deep Packet Inspection WebBlocker

Step 5: Let DPI Run

Now that you have all of your DPI settings in place, save your policy.  You will want to let these test settings run for at least a week so that you have ample time to test how they work.  

Please know that some sites that you visit will probably get blocked.  If this happens, you will need to make a decision on if it is a site you trust.  If it is a site you decide you need to allow an exception for, go back into your Proxy Action window for your HTTPS DPI policy.  Click Add on the right to create a new exception.  Then you will need to name the rule, and put in the domain.

WatchGuard Deep Packet Inspection Exception

Note: DPI exceptions work best when you use the base domain.  For example, let’s say the site we are having trouble with is https://meetings.webex.com.  If you are trying to write an exception, write it as *.webex.com as shown above.

Step 6: Complete the Rollout

Once you have tested Deep Packet Inspection for at least a few days, you can roll it out to everyone in your organization.  This can be done by taking your normal HTTPS policy, and applying the new DPI proxy action to it.  Then you can remove your DPI test policy, bringing everyone’s traffic back to normal but with the added protection of Deep Packet Inspection.

With the increase of HTTPS sites that our users are accessing, we need to ensure we are fully monitoring ALL of our web traffic.  If you are not currently utilizing Deep Packet Inspection, roughly half of your organization’s web traffic is not being filtered.  Furthermore, several of your services, such as Gateway Antivirus, APT Blocker and Data Loss Prevention, won’t work on HTTPS traffic without DPI.  It’s only a matter of time before that leads to an infection on your network.  The good news is that it can be easily remedied.  As an added bonus, Deep Packet Inspection works with Windows, Android, and Apple!

If Deep Packet Inspection is something you are interested in deploying but would like assistance, please Contact Us and our WatchGuard experts will be happy to assist you in getting this deployed.

Related Posts:

Deploying a WatchGuard DPI Certificate Through Active Directory Group Policy

Deploying a WatchGuard DPI Certificate on a Mac

Deploying a WatchGuard DPI Certificate on an Android Device

Deploying a WatchGuard DPI Certificate on an iPhone