In our list of new features:www.sophos.com/.../sophos-xg-firewall-key-new-features.pdf
Xstream ArchitectureSophos is pleased to introduce the new Xstream Architecture for XG Firewall, a new streaming packet processingarchitecture that provides extreme levels of protection and performance. The new architecture includes:
1) Xstream SSL Inspection: Organizations can enable SSL inspection on their networks withoutcompromising network performance or user experience. It delivers high-performance, high connectioncapacity support for TLS 1.3 and all modern cipher suites providing extreme SSL inspection performance across all ports, protocols, and applications. It also comes equipped with enterprise-grade controls to optimizesecurity, privacy, and performance.
2) Xstream DPI Engine: Enables comprehensive threat protection in a single high-performance streamingDPI engine with proxyless scanning of all traffic for AV, IPS, and web threats as well as providing ApplicationControl and SSL Inspection. Pattern matching on decrypted traffic makes patterns more effective and providesincreased protection from hash/pattern changing applications such as Psiphon proxy.
3) Xstream Network Flow FastPath: Provides the ultimate in performance by intelligently offloading trafficprocessing to transfer trusted traffic at wire speeds. FastPath offloading can be controlled through policy toaccelerate important cloud application traffic, or intelligently by the DPI engine based on traffic characteristics.
So what does this mean?
One of the new features that is v18.0 is a new high performance way of handling web traffic, along with new high performance way of doing SSL/TLS decryption, and a lot of new options around enforcement of TLS/SSL rules. The web proxy from 17.5 is still present, and administrators have a choice which mode they want to use.
The following is an attempt to summarize the differences between the "proxy mode" and the new "DPI mode" (Deep Packet Inspection). Basically to explain 2) and the relevant parts of 1). But the overall feature is more than what I am covering.
It focuses on differences in web for the things you could do in 17.5, and do differently in 18.0.
I have one question. How does XG work if both options (DPI and PROXY) are unchecked?
There is no DPI mode box to uncheck.
If you have a web policy selected and/or malware scanning selected and you do not have "use web proxy instead of DPI" checked then it will use the DPI mode.
If you do not have a web policy and also do not have malware scanning then some options are disabled. Neither proxy nor DPI mode will be looking at the web traffic. If the Services for the firewall rule include port 80/443 then the traffic flows through the firewall as an open port. The HTTPS traffic might still be decrypted depending on the settings in the SSL/TLS inspection rules tab, but DPI will not be doing any enforcement.
interesting observation while investigating what I thought was a fault with the DPI engine reporting.
I turned the proxy on for some of my firewall rules and all my connections now happen the first time without error messages, whereas with the DPI enabled a number of sites took two or three attempts to connect without any error messages in the logs.