Join the Conversation

To sign in, use your existing MySonicWall account. To create a free MySonicWall account click "Register".

I have a feeling most people are configuring their SW's incorrectly

I think most people have DPI enabled but don't have the SW certificate installed on the workstations (DPI Client) or on their Servers (DPI Server).

Also, I have spoke with support in the past and they would say to go to Firewall Settings - Advanced - Connections and change it to: DPI Connections (DPI services enabled with additional performance optimizations).

They would tell you to do that to actually get most of the advertised speed from the firewall.

So it's my understanding unless you install the certificates on all the workstations and/or servers DPI is doing absolutely nothing and eating up your ISP speed and firewall CPU. So you should have this settings checked: Maximum SPI Connections (DPI services disabled)

I have seen on reddit that DPI should be turned off everywhere, including firewall rules even if you have DPI disabled under DPI-SSL.

I just think this is a very misunderstood setting with SW's.

What is everyone's take on this?

Category: Entry Level Firewalls
Reply

Comments

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    I just think this is a very misunderstood setting with SW's.

    Evidently :)

    So it's my understanding unless you install the certificates on all the workstations and/or servers DPI is doing absolutely nothing and eating up your ISP speed and firewall CPU

    If you enable DPI-SSL on traffic for clients that don't trust your cert, it's not just going to silently fail, the users would be up in arms about getting certificate warnings everywhere and applications not working.

  • TKWITSTKWITS Community Legend ✭✭✭✭✭
    edited November 11

    @SonicAdmin80 summarized it pretty well.

    "I just think this is a very misunderstood setting with SW's"

    The same can be said about any NGFW, as DPI and DPI-SSL are pretty much standard fare on all manufacturers.

    People will read Reddit and not actually understand any of what they are doing, and put themselves in compromising situations…

  • Simon_WeelSimon_Weel Enthusiast ✭✭

    DPI-SSL is becoming a no-no for more and more sites. As long as a browser does a one-way check (i.e. the client checks the validity of a certificate and is served up the certificate of the firewall, so it thinks it's ok) then it works fine. But more and more sites do a cross-check, where the remote site 'asks' the browser what certificate information it has received. And then the man-in-the-middle (the firewall) is caught and the connection is terminated. For those sites, you have to exclude them from DPI-SSL, making it easier for malware developers to get their crap delivered…..

  • ArkwrightArkwright Community Legend ✭✭✭✭✭

    But more and more sites do a cross-check, where the remote site 'asks' the browser what certificate information it has received.

    I had a suspicion that something like this might be happening, performed by some WAF. Two customers reported issue with two different sites that randomly return 404 on different page elements [we can see this with web developer tools, network log]. Issue goes away once site is excluded from DPI-SSL.

    DPI-SSL is on borrowed time.

  • SonicAdmin80SonicAdmin80 Cybersecurity Overlord ✭✭✭

    I also feel like DPI-SSL might be more hassle than it's worth at this point, maybe stuff like endpoint protection and DNS filtering are easier to cover some of the same areas without all the management overhead with DPI-SSL.

Sign In or Register to comment.