DPI Engine Bypass

Question

Hello, 
 If I have a firewall rule that has a web policy set to none, so why does the DPI engine still scan the traffic? I thought this was fixed. Still seeing the traffic in the SSL inspection logs. I would really like to reduce the CPU load for traffic I don't want scanned. Running 18.5.1 MR-1, but this has been an issue since the new DPI engine was introduced. I haven't noticed it in awhile since traffic has been low, but I'm now moving a lot of data around and the XG is scanning traffic it shouldn't. 
 Mike

Michael Dunn · Accepted Answer

The firewall "sees" all traffic flowing through the XG. DPI (Deep Packet Inspection) is implemented using snort and it "sees" almost all traffic. 
 Snort does many things: - detect TLS traffic on any port - decrypt TLS traffic if configured to do TLS/SSL rules - detect HTTP traffic on any port - enforce Web policy on any HTTP / HTTPS - enforce ATP - enforce IPS - enforce app control - enforce bandwidth limiting 
 If you want the XG to do as little as possible for given traffic, each of these things should be turned off for that traffic. snort will still see the traffic, but it will do less processing. I want to focus on the item that is the most common cause of snort doing more than expected. 
 ATP - Advanced Threat Protection - is making sure that a virus on an already infected system cannot talk to any command and control systems on any port. Some parts of ATP are enforced by the DNS server, some by snort rules, and some by web destination rules (by snort or web proxy). It is enabled globally because DNS server enforcement cannot be controlled by firewall rules, and because we want to make sure that ATP protections are enforced on every port. 
 When there is no web filer policy, no app filter policy, no a/v scanning, and no ATP: There is detection for TLS traffic on all ports, and TLS decryption rules are applied There is detection of plaintext HTTP on all ports. However there is no categorization or enforcement of the HTTP standard. 
 However when any of those things change (for example ATP is enabled): There is detection for TLS traffic on all ports, and TLS decryption rules are applied. The destination SNI is compared against ATP urls. There is detection of plaintext HTTP on all ports. If there is HTTP then there is categorization. The destination URL is compared against ATP urls. The HTTP specification is enforced. 
 Because web filer policy, app filter policy, and a/v scanning are all set per firewall rule, it is easy an obvious to turn them off for given traffic. Because ATP is set globally, it is not obvious how to turn it off for given traffic. You must use an ATP exception which is configured on the Device Console. 
 support.sophos.com/.../KB-000038900 
 If your really trust the traffic and want minimal inspection then you must - set the TLS rule that matches to Do not decrypt - set the firewall rule to Web Policy None and malware scanning off - set the firewall rule to App Control policy None and IPS policy None - set the firewall rule to have an exception for ATP in Device Console 
 -------------------- 
 > It&rsquo;s crazy to think I can&rsquo;t create a firewall rule that has no options, to bypass the DPI. You would think setting all options to none would be the answer. Not in Sophos world. 
 You set all options in the firewall rule, but the global option for ATP is still in effect. Try turning off the global ATP to see if that causes a drop in CPU. If it does, then determine whether you want to disable it globally, or enable it and create exceptions for your firewall rules. 
 > If I have inter-VLAN traffic that is encrypted, say SMB traffic, I don't want the firewall to look at it at all. It uses resources even if you have a policy to "Do Not Decrypt". 
 You cannot ever have the firewall "not look at it", snort will look at almost all traffic. If you want the XG to do as little as possible you should not use the global setting for ATP, or you should use ATP exceptions. 
 
 You may also want to look at fastpath. Please note: I am not an expert in fastpath. The XG series hardware has a virtual fastpath and the XGS series hardware has a hardware fastpath. If you are having CPU concerns, please make sure that fastpath is enabled. 
 My understanding is the term "fastpath" is often confused to mean two different but related things. - with "fastpath" traffic being inspected by snort is processed more efficiently, resulting in lower CPU - with "fastpath offload" traffic that snort determines needs no more inspection will have remaining traffic on that connection forwarded without going through snort, resulting in lower CPU 
 docs.sophos.com/.../Architecture.html

DPI Engine Bypass

Top Replies