DPI vs Web Proxy

Hi,

you would need to disable the (or delete) firewall rule and create an SSL/TLS rule. The firewall will pass/process the traffic regardless of source. The exception list of sites that don't like SSL/TLS inspection is quite large so would pay to review that list before deciding to not use the web proxy.

Ian

Hi,

we are currently using Web-Proxy with HTTPS-decryption enabled. At the moment we have a lot of exceptions configured in "Internet" > "Exceptions".

Is DPI more work-intensive in terms of exceptions? 

We are not using any of these Web-Proxy only features like "Pharming Protection", "Caching", "SafeSearch", etc. We only use basic web policies to block filetypes and websites. So hopefully this should not prevent us from changing to DPI ;-)

caching, pharmng and safe search are web proxy only functions.

File type blocking appears to be web only because I cannot find a field to enter file type in the SSL/TLS profile form.

Ian

I only know file & URL-blocking via Web-Policy.

These might help?

I think we are talking at cross purposes ;-) I know where these feature are located I just wanted to make sure that file-type blocking via Web Policy should be working with DPI, too

You should read
 Sophos Firewall v18: XStream - the new DPI Engine for web proxy explained
As well as the "DPI engine or web proxy" help popup that is inside the firewall rule.

Yes file type are blocked for any HTTP or HTTPS traffic that is decrypted (same as web proxy).

Note:  The checkbox for "Filtering common web ports - Use web proxy instead of DPI engine" only applies to transparent mode traffic.  If browsers have specified to use the XG as a web proxy then proxy must be used.  "Deep Packet Inspection" engine can only look at packets going through the XG to a destination.

I would argue that the number of websites that have issues with HTTPS scanning is equal in Proxy and DPI mode.  If you already have exceptions that work for you it should be fine.

The one place where you can sometimes be caught is DPI mode looks at all ports.  Potentially you have an app talking to a server using TLS on port 12345.  Currently that traffic is hitting some firewall rule and also hitting a TLS inspection rule.  It is already being handled by DPI mode but you (most likely) are not decrypting it.  If you add a TLS rule that decrypts all traffic on all ports then it starts being decrypted and there is a chance it will have problems.  Apps that run on their own high level ports tend to be more...  fragile because they don't always follow HTTP standard when talking to their own server.

Hi Michael,

thank you for the update.

I was pointing out to Jonas that the functions he wants to use are currently only available in the web proxy. Also there is nowhere that I can find to add file type to a SSL/TLS rule whereas in web proxy you can select which file type you want to add.

Ian

You add file types to Web Policies, which are used by both web proxy and DPI mode.  Absolutely everything that you can do with file type is done exactly the same in both modes.


You do not add file types to firewall rules or to SSL/TLS rules.  Saying "Do not perform TLS decryption on a file type" does not make sense.

Sorry, I was not quite understanding and forgot that you can use web policies without the proxy, but you can't enforce some of the proxy features even though they might be enabled in your web policy.

Ian

Okay thats everything i wanted to know. Thank you both for the detailed answers 

Okay thats everything i wanted to know. Thank you both for the detailed answers