DPI Engine Bypass

Hello,

If I have a firewall rule that has a web policy set to none, so why does the DPI engine still scan the traffic? I thought this was fixed. Still seeing the traffic in the SSL inspection logs. I would really like to reduce the CPU load for traffic I don't want scanned. Running 18.5.1 MR-1, but this has been an issue since the new DPI engine was introduced. I haven't noticed it in awhile since traffic has been low, but I'm now moving a lot of data around and the XG is scanning traffic it shouldn't.

Mike



Added Firewall Rules
[edited by: emmosophos at 11:59 PM (GMT -7) on 5 Oct 2021]
  • I think you need to change your web policy to allow all.

    ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • I did that, but I also had to check the use proxy option. I don’t want the firewall to look at the traffic at all, not even the proxy.

    It’s crazy to think I can’t create a firewall rule that has no options, to bypass the DPI. You would think setting all options to none would be the answer. Not in Sophos world.

  • well you can turn off the SSL/TLS inspection but it does for all firewall rules.

    If you choose allow all in there web proxy with the services of any the proxy doesn't really inspect the traffic.

    The other option I use is don't log, none in web, none in application and none in IPS but you need to be very sure of your destination/destination.

    Ian

     
    V18.5.x - e3-1225v5 6gb ram with 4 ports - 20w. 
    If a post solves your question use the 'This helped me' link.
  • Yeah I can’t turn off SSL inspection completely. 

    Yes, you’re right, an allow all rule doesn’t really inspect the traffic with the proxy, but it does have to look at it for the allow all rule to work. It’s unnecessarily using resources to do so. 

    Even using a rule that doesn’t log,  it still passes traffic to the DPI engine, you just don’t see it. I proved this in the V18 beta and thought they fixed it.

  • DPI is not a proxy and has actually nothing to do with Web policies at all.

    DPI Engine is a architecture, which can look out for TLS/SSL traffic and decrypt it. This decrypted traffic will be passed to the needed modules (for example for HTTPS to the proxy) or to the IPS etc. 

    If you do not want to scan it, create a Do not Decrypt rule, which will not decrypt it, but it still "sees" the traffic. You cannot bypass this system without completely shutdown the entire engine, because its build to consider all traffic, regardless of its state. 

    __________________________________________________________________________________________________________________

  • Well, that's a bad design IMO. If I have inter-VLAN traffic that is encrypted, say SMB traffic, I don't want the firewall to look at it at all. It uses resources even if you have a policy to "Do Not Decrypt". I shouldn’t have to disable SSL inspection globally to make exceptions.

  • It does not look at this traffic. It simply sees it flowing. What is the issue in your setup beside the performance bottleneck? 

    BTW: its not the SSL Inspection, its the architecture, you are disabling. Look at the fastpath vs slow path. https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/115976/sophos-xg-firewall-v18-xstream---the-new-dpi-engine-for-web-proxy-explained

    __________________________________________________________________________________________________________________

  • If it looks at the traffic and logs it, it's looking at the traffic. Your answer contradicts itself. It may not be doing anything with it, but it is still looking at the traffic, thus using system resources when it shouldn't. THe performance bottleneck is my issue. There is no way XG can give it's rated throughput numbers if the traffic is encrypted and SSL/TLS inspection is enabled. I'm at 60% CPU usage on an XG230 Rev 2 with a couble hundred megs going through it because alot of the traffic is encrypted. If I disable SSL/TLS, it drops to 30%. That's a big difference for traffic I don't need inspected and is set to "Do Not Decrypt" as you say.

    If I disable SSL inspection, I am disabling using the DPI engine for traffic. The DPI engine is better than the proxy since it looks at all ports. So if I disable it, I am not getting as good of protection, since I am relying soley on the proxy. That's not a viable option.

  • Can you please past the performance difference numbers into the forum? 

    You are talking about the performance difference in terms of CPU load, but what is the actually throughput decrease? 

    PS: This architecture is also built for XGS hardware, as it highly profit by the NPU. 

    __________________________________________________________________________________________________________________

  • I don't have an Ixia test bed to test full throughput, that what Sophos is supposed to do. I am just doing simple math. If I'm at 60% CPU usage with a couple hundred megs going through it, how in the world can it give the rated througput of 14,800 Mbps IMIX? It can't unless you disable SSL/TLS Inspection and that is my point. Sophos should have a way to bypass it, periiod.

    PS: I don't have an XGS series. Unless Sophos is going to give me an XGS, that doesn't help me, now does it?