Improving Performance of HTTP with DSRI

Improving Performance of HTTP with DSRI

119953
Created On 09/25/18 19:10 PM - Last Modified 10/12/23 10:00 AM


Symptom


A session on the firewall comprises two flows. Client to Server and Server to Client. The DSRI (Disable Server Response Inspection) feature on the Palo Alto Networks firewall can be enabled to skip the inspection of the Server to Client flow.

Environment


  • Any NGFW

Cause


Typically DSRI is used in environments where internal servers are trusted and protected by the firewall. In these cases, content inspection can be configured for only client-to-server (internet users to internal servers) traffic using the DSRI option. By doing this, the Server-to-Client flow (internal servers to internet clients) is skipped after sufficient data has been inspected by the firewall to identify the applications running over HTTP. This option provides higher throughput when compared to full content inspection of the traffic and is useful in overloaded environments with heavy inside server traffic.
 

DSRI with App-Override policy (HTTP-NSRI) can be used to improve performance in environments with small-size packets.

Note: NSRI stands for No Server Response Inspection

Resolution


The differences between the methods are:

  • APP-Override policy alone
    Both the Client to Server and Server to Client flow is skipped from content ( AppID + Threats ) inspection by the firewall.
  • DSRI alone
    The Server-to-client flow is skipped from inspection after a certain amount of data is inspected by the firewall in order to identify the application. This can typically be used in environments with high traffic load to internal trusted web-servers and content inspection is required for http requests only.
  • DSRI enabled along with App-Override policy (select application HTTP-NSRI)
    Client to Server flow content inspection is done, but complete Server to Client flow is skipped from inspection and thus the traffic is identified as HTTP-NSRI. This can typically be used in environments with high traffic load to internal trusted web-servers with small packet sizes and content inspection is required for http requests only.

 

Steps

The following steps describe how to apply DSRI along with the App-Override policy.

  1. Configure an HTTP-NSRI Override policy. An example is shown below:
    http-nsri_1.JPG.jpg
  2. Create a security policy to allow the HTTP-NSRI application.
    http-nsri.JPG.jpg
  3. Check the "Disable Server Response Inspection" option for the security policy created in step 2.
    http-nsri_2.JPG.jpg

 

Details of the HTTP-NSRI application can be found by performing a search on the Objects > Applications page of the web UI (example).

http-nsri_3.JPG.jpg

 

owner: sdurga
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV9CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language