Wifi, FTP TLS and new Xstream dpi engine

Question

Hello 
 1. Is it really not possible to bridge WIFI to any other zone other than LAN? I only got option "bridge to AP LAN" 
 2. i noticed that app control and option "scan ftp for malware" in Firewall rule will break TLS in FTP or SFTP. 
 So i made an extra rule for ftp, is this a bug? 
 3. Also i noticed that the new dpi engine will break really a whole lot websites including microsoft, google, amazon. Is this gonna change in the future? Is it possible to make an decrypt exclution for a certain group of devices, like mobile phones? Currently i am using guest wifi for mobiles with ssl decryption disabled. 
 4. I set rules to allow everything outgoing because there are just too many services on the internet and i thought to rely on L7 filtering and AV. Is this still a safe approach? 
 5. In any other rule than webtraffic, do i also need to enable web filtering and other security features like app control or IPS?

rfcat_vk · Accepted Answer

Hi, 
 1/. that will depend on which network you connect it to, eg DMZ would still be an AP LAN connection. 
 2/. you will need to use the web proxy for scanning ftp etc 
 3/. there area number of exceptions already created in the default SSL/TLS rule, you can add more if you desire. 
 4/. you will find for security you will need to build firewall rules to access to specfic ports, web sites and applications otherwise you will not be able to scan them. 
 Ian

LuCar Toni · Answer

To extend this: 
 1. It means bridge to AP LAN. It references to the Rj45 interface of the AP itself. Simply forwarding the packet to the Interface of the Access point to provide a wireless switch. 
 2. It seems to be related to DPI engine? DPI will decrypt traffic on TLS; if you tell DPI to do so.

Wifi, FTP TLS and new Xstream dpi engine

Top Replies