I have a feeling most people are configuring their SW's incorrectly
JackBurton
Newbie ✭
I think most people have DPI enabled but don't have the SW certificate installed on the workstations (DPI Client) or on their Servers (DPI Server).
Also, I have spoke with support in the past and they would say to go to Firewall Settings - Advanced - Connections and change it to: DPI Connections (DPI services enabled with additional performance optimizations).
They would tell you to do that to actually get most of the advertised speed from the firewall.
So it's my understanding unless you install the certificates on all the workstations and/or servers DPI is doing absolutely nothing and eating up your ISP speed and firewall CPU. So you should have this settings checked: Maximum SPI Connections (DPI services disabled)
I have seen on reddit that DPI should be turned off everywhere, including firewall rules even if you have DPI disabled under DPI-SSL.
I just think this is a very misunderstood setting with SW's.
What is everyone's take on this?
Comments
DPI and DPI-SSL are different things. DPI is what gives you all the Next-Gen Firewall features and should be enabled if you want to utilize the security services.
DPI-SSL is broadening this to SSL encrypted traffic and requires a cert in each device. So it could be said that using DPI-SSL will make it possible to inspect 90+% of traffic, only using DPI about half if that and if you disable DPI altogether you aren't doing any deep packet inspection and only using the firewall as a packet filter.
If you would do that then there isn't much sense using a Next-Gen firewall at all and you could just use some open source packet filter firewall.
Turning on "performance optimizations" or "enhanced security" affects low risk threat inspection. More speed if you don't care about low risk threats.
Evidently :)
If you enable DPI-SSL on traffic for clients that don't trust your cert, it's not just going to silently fail, the users would be up in arms about getting certificate warnings everywhere and applications not working.
@SonicAdmin80 summarized it pretty well.
"I just think this is a very misunderstood setting with SW's"
The same can be said about any NGFW, as DPI and DPI-SSL are pretty much standard fare on all manufacturers.
People will read Reddit and not actually understand any of what they are doing, and put themselves in compromising situations…