Question - BUG - DPI appears to be on by default

Hi folks,

while working on a thread in the XG forum I checked some of firewall settings and found I think that the DPI is on by default.The screenshots below do not show the DPI as highlighted, on the rules where it is selected and not selected.

Ian

 

The first screenshot uses the DPI and where as the second screenshot is of an internal connection.

Am I interpreting the screenshots wrong or is there a bug?

  • In reply to RichBaldry:

    Thank you to Michael and Rich for the many detailed answers to the question, but none explain how I turn of inspection on Lan to LAN rules.

    In v 17 you did so by not using the proxy, but in V18 when not using the proxy you use DPI.

    Now, I have spent a week working with a hardware support company to get a security camera working, eventually I came the conclusion that the application did not like DPI even with exceptions, no  log entries, all logs showing connections. 

    I turned on the proxy and put some of my standard functions in place and now I have a stable security camera connection to the cloud server, all very good.

    I am supposed to be able to connect to the camera using various applications on my none IoT network, again the logviewer shows the connections but the application does not connect.

    I could try to use a WAF rule, but that wouldn't work because I have the DNS of the firewall setup the use the internal network address for access to overcome the continual certificate warnings when using the IP address to access the XG GUI.

    So how do I turn off inspection of internal rules only?

    Ian

  • In reply to rfcat_vk:

    Hi Ian,

    Our intent is for it not to be necessary to turn this off, so that the DPI Engine has no impact on traffic if there are no scanning or inspection policies applicable to it, but so that we can still include information about it in our overall accounting of traffic.

    There are still a couple of outstanding situations that we've come across in the EAP that we are aiming to fix before the GA release of v18, including a few relating to our handling of traffic that is not recognized as TLS or HTTP on port 443. One of the major impacts of this right now is OpenVPN SSL VPN connections, which send a few packets of custom handshake protocol before beginning a TLS handshake. We've had reports of a few IoT devices that use OpenVPN to tunnel traffic to the cloud - is it possible that's what's going on with your camera?

    Regards

    Rich

  • In reply to RichBaldry:

    Hi Rich,

    thank you for taking the time to investigate.

    I don't think so, the camera does use 443, 80, UDP 9999 and UDP 57850. The 443 and the 80 are both handled by the proxy. The camera support team assure me that all is secure between the camera and their cloud servers using https for password handshaking etc.

    I do see about 100MB of SSL over non SSL ports though but do not see any traffic in the daily reports about OPENVPN.

    Ian

    Update:- forgot to add I have had ATP disabled for a couple of days.

    And I have this enabled.

  • In reply to RichBaldry:

    RichBaldry

    Hi Ian,

    Our intent is for it not to be necessary to turn this off, so that the DPI Engine has no impact on traffic if there are no scanning or inspection policies applicable to it, but so that we can still include information about it in our overall accounting of traffic.

    There are still a couple of outstanding situations that we've come across in the EAP that we are aiming to fix before the GA release of v18, including a few relating to our handling of traffic that is not recognized as TLS or HTTP on port 443. One of the major impacts of this right now is OpenVPN SSL VPN connections, which send a few packets of custom handshake protocol before beginning a TLS handshake. We've had reports of a few IoT devices that use OpenVPN to tunnel traffic to the cloud - is it possible that's what's going on with your camera?

    Regards

    Rich

     

    Would this apply to SSL encrypted Newsgroup traffic potentially as well?  I am unable to connect to Astraweb over SSL.  Take XG out of the mix and it works.  I've got a firewall rule in place to do nothing, don't decrypt, don't touch it, don't scan it, don't categorize, none for everything, but clearly XG is doing something regardless.