This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

DPI: Does SophoS UTM 9 have DPI

So If I read this 

https://www.sophos.com/en-us/medialibrary/pdfs/factsheets/sophos-utm-feature-list-dsna.ashx  it says 

Intrusion protection: Deep packet inspection engine, 18,000+ patterns

But the following suggest  DPI is found  Sophos (XG) Firewall  not UTM

https://community.sophos.com/utm-firewall/f/general-discussion/127587/utm-deep-packet-inspection

So I'm confused whether  please can someone kindly clarify 



This thread was automatically locked due to age.
  • Hi and welcome to the UTM Community!

    DPI exists in both Sophos offerings.  I'll add that to the second thread.

    Cheers - Bob

     
    Sophos UTM Community Moderator
    Sophos Certified Architect - UTM
    Sophos Certified Engineer - XG
    Gold Solution Partner since 2005
    MediaSoft, Inc. USA
  •  many  thanks . What I didn't add to my post  at  the time  was that  a person on the Sophos Website expert chat also said  "for DPI you need to use  Sophos XG it's not in UTM" , and is why i starting researching my self. I'm guessing  the Sophos XG has a richer DPI engine ?

    I have found a nice diagram  of flows through the  XG and XG  DPI engine , but  cannot find similar diagram  for the Sophos UTM, does anyone have such diagram?

    TIA

  • Everyone is pushing XG, because it's their new baby.  The older brother, UTM, is treated as being on its deathbed, lol. 

    I don't know that a diagram exists for UTM on DPI; I would bet a reseller/partner would have something.

    OPNSense 64-bit | Intel Xeon 4-core v3 1225 3.20Ghz
    16GB Memory | 500GB SSD HDD | ATT Fiber 1GB
    (Former Sophos UTM Veteran, Former XG Rookie)

  • DPI Engine is some sort of a "new phrase" for a particular way to work with data. 

    DPI means Deep Packet Inspection, and this kind of technology is in both products. It is the IPS in a nutshell. 

    But DPI Engine in SFOS means the xStream Architecture. It is a technology to work on a stream based level (therefore the name). Stream based technologies will not act as a proxy or anything. Instead it will copy packets into another space and analyse them while the client is still communicating with the server. It is likely to be a flow / stream between client and server. 

    Stream based technologies can decrypt TLS1.3 and analyse those packets. IPS is able to do this, but it is lacking the decryption part. While UTM can only decrypt TLS1.2 on Web based traffic, SFOS can decrypt all packets on all ports and the IPS can look at those decrypted traffic to increase the security. 

    That is the big difference between both products. 

    __________________________________________________________________________________________________________________

  • In a Nutshell:

    While looking at UTM, UTM only has the "Web Proxy Part". SFOS is using the DPI Engine here to do much more together with the FastPath. 

    Web Proxy, as the name indicates, supports Web Traffic. But if there is encrypted Traffic on Port 1234, the UTM cannot decrypt it. SFOS can do this and give the traffic to the next engine. 

    See: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/122357/life-of-a-packet-sophos-firewall

    __________________________________________________________________________________________________________________

  • Isn't it true that for full DPI to work correctly in the UTM, you must use "decrypt and scan" and deploy the HTTPS we filtering certificate by downloading it from the UTM and installing it into your browser? Otherwise you are just scanning URLs and not doing the man-in-the-middle attack, which is actually DPI?