TTechclick ⚡ XP 0% All lessons
SonicWall · Next-Gen Firewall · DPI-SSLInteractive · L1 / L2 / L3

SonicWall DPI-SSL — Client vs Server TLS Inspection Done Right

Most web traffic is encrypted, so a firewall that can't decrypt TLS is blind to the malware and data theft hiding inside HTTPS. SonicWall DPI-SSL fixes that by decrypting, inspecting with RFDPI, then re-encrypting. This lesson nails the central distinction — Client DPI-SSL for outbound users versus Server DPI-SSL for inbound traffic — the certificates each one needs, and the exclusions that keep pinned apps and banking sites working.

📅 2026-06-19 · ⏱ 16 min · 4 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to SonicWall DPI-SSL (2026): why a firewall must decrypt TLS to see threats inside HTTPS, the two modes — Client DPI-SSL for outbound users (re-signing with the firewall CA you must deploy) and Server DPI-SSL for inbound traffic to hosted servers (using the server's own cert and key) — plus exclusions for banking, certificate-pinned apps, and a safe, performance-aware rollout.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Why decrypt

Encrypted traffic is a blind spot; decrypt to inspect.

 2

Client DPI-SSL

Outbound users; re-sign with the firewall CA.

 3

Server DPI-SSL

Inbound to hosted servers; use the server's cert.

 4

Exclusions & rollout

Pinned apps, banking, performance, staged go-live.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Can a firewall scan threats inside an HTTPS connection without decrypting it?

Answered in Why decrypt.

2. In Client DPI-SSL, whose certificate does the firewall present to the browser?

Answered in Client DPI-SSL.

3. Which mode protects servers you host from inbound attacks?

Answered in Server DPI-SSL.

Most engineers think…

Most people assume that 'turning on SSL inspection' is a single checkbox and that the firewall already sees everything. Both ideas will trip you up in an interview and in production.

SonicWall DPI-SSL has two separate modes for opposite directions. Client DPI-SSL inspects outbound traffic from your users and works by re-signing every external server certificate with the firewall's own CA — which means that CA must be trusted on every client device or browsers throw errors. Server DPI-SSL inspects inbound traffic to servers you host and uses the server's own certificate and private key instead. Knowing which mode applies to which direction, what certificate each one needs, and what you must exclude (pinned apps, banking sites) is the difference between a clean rollout and a helpdesk flooded with certificate warnings.

① Why decrypt at all — the encrypted blind spot

The single most important idea: the large majority of web traffic is now TLS-encrypted, so a firewall that cannot decrypt it only sees an opaque tunnel. Malware downloads, command-and-control, data theft and policy-evading apps all ride inside HTTPS precisely because they expect no one to look. Without decryption, your firewall's security services are blind.

DPI-SSL solves this by terminating the TLS session at the firewall, handing the cleartext to the RFDPI engine — Reassembly-Free Deep Packet Inspection — which scans it with Gateway Anti-Virus, IPS, anti-spyware, application control and Capture ATP sandboxing, and then re-encrypting it onward. The firewall sits in the middle of the handshake. Modern SonicOS supports TLS 1.3.

DPI-SSL comes in two modes for opposite directions: Client for outbound user traffic and Server for inbound traffic to servers you host. The rest of this lesson is about getting that distinction — and the certificates each mode needs — right.

Figure 1 — The DPI-SSL loop — decrypt, inspect, re-encrypt
DPI-SSL terminates TLS at the firewall, scans the cleartext with RFDPI, then re-encrypts it onward.The DPI-SSL loop — decrypt, inspect, re-encryptInterceptterminate TLSDecryptexpose cleartextInspectRFDPI / GAV / IPSRe-encryptnew TLS onwardForwarddeliver + log
DPI-SSL terminates TLS at the firewall, scans the cleartext with RFDPI, then re-encrypts it onward.
Quick check · Q1 of 10 · Understand

Why does a firewall need DPI-SSL?

Correct: b. The majority of web traffic is TLS-encrypted. Without decryption the firewall only sees an opaque tunnel and cannot scan for malware, exploits or data theft. DPI-SSL decrypts so RFDPI can inspect, then re-encrypts.
👉 So far: Most web traffic is TLS-encrypted, so without DPI-SSL the firewall is blind. DPI-SSL decrypts, lets RFDPI (GAV/IPS/anti-spyware/app-control/Capture ATP) scan the cleartext, then re-encrypts.

② Client DPI-SSL — outbound, re-signed with the firewall CA

Client DPI-SSL protects outbound traffic: your internal users connecting out to external HTTPS sites. The firewall acts as a man-in-the-middle. It intercepts each connection, makes its own TLS session to the real site, and then presents the user's browser a copy of the site's certificate that it has re-signed with the firewall's own CA. That lets it decrypt, inspect with RFDPI, and re-encrypt in both directions.

The certificate trap everyone hits

Because the browser now sees a certificate issued by the firewall's CA — not a public CA it already trusts — you must deploy and trust that CA on every client device. In a Windows estate you push it as a trusted root via Active Directory GPO; for laptops and mobiles you use MDM. Skip this and users get a flood of 'your connection is not private' certificate warnings on nearly every site.

🔓
DPI-SSL
tap to flip

SonicWall's feature that decrypts TLS so RFDPI can scan the cleartext, then re-encrypts it. Two modes: Client and Server.

➡️
Client DPI-SSL
tap to flip

Outbound mode for users browsing out. The firewall is a man-in-the-middle and re-signs server certs with its own CA — which must be trusted on every client.

⬅️
Server DPI-SSL
tap to flip

Inbound mode for servers you host. The firewall uses the server's own certificate and private key to decrypt and inspect traffic to it.

📌
Certificate pinning
tap to flip

An app hard-codes the exact cert it accepts. A re-signed DPI-SSL cert won't match the pin, so the app breaks — pinned apps must be excluded.

Deploy the CA before you flip the switch

For Client DPI-SSL, push the firewall's re-signing CA into every client's trusted-root store first — Active Directory GPO for domain machines, MDM for laptops and mobiles. Do this before enabling the zone and you avoid the certificate-warning storm entirely.

Quick check · Q2 of 10 · Remember

In Client DPI-SSL, what certificate does the firewall present to the user's browser?

Correct: a. Client DPI-SSL acts as a man-in-the-middle: it re-signs each external server's certificate with the firewall's own CA. That is why the CA must be trusted on every client, or browsers throw certificate errors.
👉 So far: Client DPI-SSL = outbound users. The firewall is a man-in-the-middle that re-signs external server certs with its own CA, which you must deploy and trust on every client via GPO/MDM.

③ Server DPI-SSL — inbound, using the server's own certificate

Server DPI-SSL protects the opposite direction: inbound traffic to servers you host — a public web or mail server sitting behind the firewall. Here there is no man-in-the-middle re-signing. You import the hosted server's own certificate and matching private key into the firewall, so it can decrypt the inbound TLS sessions destined for that server and inspect them with RFDPI for attacks.

When to use which

The interview line: direction decides the mode. Client DPI-SSL = your users going out, and it needs the firewall CA trusted on clients. Server DPI-SSL = the world coming in to your hosted services, and it needs the genuine server cert and key — no client CA push at all. They are configured independently and can run side by side on the same appliance.

Figure 2 — Client DPI-SSL vs Server DPI-SSL
Direction decides the mode and the certificate each one needs.Client DPI-SSL vs Server DPI-SSLClient (outbound)Internal users to external sitesFirewall is a man-in-the-middleRe-signs with the firewall's ownDeploy that CA to clientsServer (inbound)World reaching your hosted serversNo re-signing of public certsUses the server's own cert + keyNo client-side CA push needed
Direction decides the mode and the certificate each one needs.
Figure 3 — Decrypt once, scan with every service
Once DPI-SSL exposes the cleartext, every RFDPI security service can inspect the same stream.Decrypt once, scan with every serviceDPI-SSLdecrypted streamGateway Anti-VirusIntrusion PreventionAnti-spywareApplication controlCapture ATP sandboxContent filtering
Once DPI-SSL exposes the cleartext, every RFDPI security service can inspect the same stream.
Mixing up Client and Server mode

Client DPI-SSL is outbound (your users going out) and re-signs with the firewall CA. Server DPI-SSL is inbound (the world reaching your hosted servers) and uses the server's own cert and key. Pick the mode by direction; using the wrong one means nothing gets inspected.

▶ Watch an HTTPS site get inspected on the way out

How one outbound HTTPS request is decrypted, scanned and re-encrypted with Client DPI-SSL. Press Play for the healthy path, then Break it to see the classic failure.

① RequestA user in the Kochi office opens an external HTTPS site through the firewall with Client DPI-SSL enabled on the LAN zone.
② Intercept + re-signThe firewall makes its own TLS session to the site and presents the browser a copy of the certificate re-signed with the firewall's CA.
③ InspectWith the session decrypted, RFDPI scans the clear stream — Gateway AV, IPS, anti-spyware, app-control and Capture ATP.
④ Re-encrypt + deliverThe firewall re-encrypts the clean traffic and delivers it; the browser shows a normal padlock because it trusts the firewall CA.
Press Play to step through the healthy inspection path. Then press Break it.
Quick check · Q3 of 10 · Apply

You host a public web server behind the firewall and want to inspect inbound HTTPS to it. What do you configure?

Correct: c. Inbound traffic to a server you host is Server DPI-SSL. You import the hosted server's own certificate and private key into the firewall so it can decrypt and inspect that traffic. No client CA push is involved.
👉 So far: Server DPI-SSL = inbound to servers you host. The firewall uses the server's own certificate and private key to decrypt and inspect — no client CA push. Direction decides the mode.

④ Exclusions, pinning, performance & a safe rollout

You should not — and sometimes cannot — decrypt everything. Maintain an exclusion list so sensitive and incompatible traffic flows untouched: banking, healthcare and government categories (privacy and compliance), software-update services, and especially certificate-pinned applications. A pinned app rejects any certificate that does not match its hard-coded pin, so decrypting it breaks the app — exclude it.

Roll out without a helpdesk storm

DPI-SSL is resource-intensive: terminate, inspect and re-encrypt all cost CPU, so trying to decrypt every flow can saturate the appliance. Size the firewall for DPI-SSL throughput, enable it per zone, and scope it with address and service objects so you decrypt only what you intend. Deploy the CA to clients first, start on a pilot zone, build the exclusion list, then widen — never flip it on for the whole estate at once.

Figure 4 — What to exclude from decryption
Keep sensitive and incompatible traffic off the decryption path with an exclusion list.What to exclude from decryptionCertificate-pinned appsBreak if re-signed — always excludeBanking / health / govPrivacy and compliance categoriesSoftware-update servicesOften pinned or signed; excludeEverything elseDecrypt and inspect per zone/object
Keep sensitive and incompatible traffic off the decryption path with an exclusion list.

Priya Nair at Meridian Logistics, Kochi faces this

The day after enabling Client DPI-SSL on the LAN zone, the helpdesk is flooded — staff see 'your connection is not private' on nearly every HTTPS site, and a finance tool won't connect at all.

Likely cause

The firewall is now re-signing every external server certificate with its own CA, but that CA was never pushed to the client trust stores; separately, a certificate-pinned finance app rejects the re-signed cert.

Diagnosis

In SonicOS the LAN zone has Client DPI-SSL on with a re-signing CA selected. The browser warnings prove clients don't trust that CA, and the pinned-app failure points to a missing exclusion.

SonicOS ▸ DPI-SSL ▸ Client SSL (enabled zones + re-signing CA) and DPI-SSL ▸ Exclusions
Fix

Export the firewall's DPI-SSL CA and deploy it to all clients as a trusted root via Active Directory GPO (and MDM for mobiles); then add the pinned finance app and the banking/health/gov categories to the DPI-SSL exclusion list.

Verify

On a managed client, browse several HTTPS sites — the padlock is clean (the cert chains to the now-trusted firewall CA), the finance app connects because it is excluded, and DPI-SSL logs show normal sites being decrypted and scanned.

Prove it from a real handshake, not a hunch

After rollout, browse a known site from a managed client and check the certificate chain: it should chain to your firewall CA with a clean padlock. Then confirm an excluded pinned app still connects. Two checks tell you the deployment is correct without guessing.

Quick check · Q4 of 10 · Analyze

A banking app stops connecting right after you enable Client DPI-SSL. What is the correct fix?

Correct: d. Certificate-pinned apps reject any cert that doesn't match their hard-coded pin, so the re-signed DPI-SSL cert breaks them. The fix is to exclude pinned apps and sensitive categories like banking from decryption, not to disable inspection entirely.
👉 So far: Exclude pinned apps and banking/health/gov from decryption, size for DPI-SSL throughput, enable per zone with address/service objects, and roll out in stages — never all at once.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

Client DPI-SSL inspects traffic in which direction?

Correct: a. Client DPI-SSL is for outbound traffic from your internal users to external HTTPS sites. Server DPI-SSL handles inbound traffic to servers you host.
Q6 · Understand

Server DPI-SSL is configured with which certificate material?

Correct: c. Server DPI-SSL uses the genuine certificate and matching private key of the server you host, so the firewall can decrypt and inspect inbound traffic to it. No client CA push is involved.
Q7 · Apply

After enabling Client DPI-SSL, users get certificate warnings on almost every HTTPS site. What is the most likely cause?

Correct: b. Client DPI-SSL re-signs server certs with the firewall's CA. If that CA isn't deployed to the client trust stores via GPO/MDM, browsers don't trust the chain and throw warnings. Deploy the CA to fix it.
Q8 · Analyze

Why must certificate-pinned applications be excluded from DPI-SSL?

Correct: d. A pinned app only accepts a specific certificate. The DPI-SSL re-signed certificate won't match the pin, so the app refuses to connect. The correct response is to exclude pinned apps from decryption.
Q9 · Evaluate

What is the strongest reason NOT to decrypt all traffic with DPI-SSL?

Correct: b. Terminating, inspecting and re-encrypting every flow consumes significant CPU and can saturate the firewall, and decrypting pinned apps breaks them. Size for throughput and scope what you decrypt per zone and object.
Q10 · Evaluate

What is the safest first step before enabling Client DPI-SSL across the estate?

Correct: a. Pushing the firewall CA to clients first means the re-signed certificate chain is trusted, avoiding a warning storm. Starting on a pilot zone with an exclusion list lets you tune before widening — never flip it on everywhere at once.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: what is the difference between Client and Server DPI-SSL, and what certificate does each one need? Then compare with the expert version.

Expert version: Client DPI-SSL inspects outbound traffic from your users to external sites: the firewall is a man-in-the-middle that re-signs each external server's certificate with the firewall's own CA, so that CA must be trusted on every client via GPO or MDM or browsers throw errors. Server DPI-SSL inspects inbound traffic to servers you host: the firewall is given the server's own certificate and private key so it can decrypt and inspect that traffic, with no client CA push. Direction decides the mode, and the certificate each mode needs follows directly from that direction.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

TLS
Transport Layer Security — the encryption protocol behind HTTPS; the traffic DPI-SSL decrypts, inspects and re-encrypts.
DPI-SSL
SonicWall's deep packet inspection of SSL/TLS — decrypt the traffic, inspect it with RFDPI, then re-encrypt it onward.
RFDPI
Reassembly-Free Deep Packet Inspection — SonicWall's stream engine running Gateway AV, IPS, anti-spyware, application control and Capture ATP on the clear traffic.
Client DPI-SSL
Outbound mode: inspects users' HTTPS to external sites by re-signing each server cert with the firewall's own CA, which must be trusted on clients.
Server DPI-SSL
Inbound mode: inspects traffic to servers you host using the server's own certificate and private key — no client CA push needed.
Firewall CA
The internal Certificate Authority the firewall uses to re-sign certificates in Client mode; it must be deployed to every client's trusted-root store.
Certificate pinning
When an app hard-codes the exact certificate it accepts; a re-signed DPI-SSL cert won't match the pin, so pinned apps break and must be excluded.
Exclusion list
The set of traffic DPI-SSL must not decrypt — banking/health/gov categories, software-update services and certificate-pinned apps.

📚 Sources

  1. SonicWall — About DPI-SSL (SonicOS Administration Guide). docs.sonicwall.com
  2. SonicWall — Client DPI-SSL: deploying the firewall CA to client devices. sonicwall.com
  3. SonicWall — Server DPI-SSL: configuring with the server certificate and private key. docs.sonicwall.com
  4. SonicWall Support — DPI-SSL exclusions and certificate-pinned application handling. sonicwall.com
  5. SonicWall — Reassembly-Free Deep Packet Inspection (RFDPI) & Capture ATP. sonicwall.com
  6. SonicWall — TLS 1.3 support in SonicOS DPI-SSL (release notes). docs.sonicwall.com

What's next?

Got DPI-SSL? Next, go deep on the security services that scan the now-decrypted traffic — Gateway Anti-Virus, IPS, Content Filtering, and Botnet & GeoIP — and how to tune them so they catch real threats without blocking the business.

Next · All interview lessons → Practice on exam.techclick.in →