https://live.paloaltonetworks.com/t5/general-topics/tweaking-dsri/m-p/23575#M17190 <HTML><HEAD></HEAD><BODY><P>I had to Google to find out what DSRI stands for:</P><P></P><P>DSRI = Disable Server Response Inspection (in case someone else wonders <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P></P><P>I found this document at the same time regarding performance figures:</P><P></P><P><A class="jive-link-external-small" href="http://www.commsolutions.com/uploads/PA-lNetwork%20World%20PA-5060%20Review.pdf">http://www.commsolutions.com/uploads/PA-lNetwork%20World%20PA-5060%20Review.pdf</A></P><P></P><P><SPAN>So yes if performance is an issue (and you cant get more PA-boxes to cluster as described in </SPAN><A class="jive-link-external-small" href="http://www.paloaltonetworks.com/literature/solution-briefs/tech-partners/arista.pdf">http://www.paloaltonetworks.com/literature/solution-briefs/tech-partners/arista.pdf</A><SPAN> ) you can enable DSRI (that is disabling server response inspection) for specific flows.</SPAN></P><P></P><P>However there are many cases where disabling DSRI (that is enable server response inspection) would be good security wise.</P><P></P><P>Clients browsing the Internet is probably the most obvious (this way we can detect infected clients (trying to infect servers) but also infected servers trying to infect clients). This including "trusted" sites.</P><P></P><P>But I think it can be healthy also for incoming traffic to your own internal servers. If you have DSRI enabled for those flows you wont detect (and possible block) if one of these servers gets infected. And the risk might be higher for that on internal networks because you often keep a track on patching (hopefully <span class="lia-unicode-emoji" title=":winking_face:">😉</span> the servers in DMZ (facing Internet) but internal servers tends to get sloppy after a while (or are appliances where it depends on how active the vendor is before patches are released). Probably because the threat isnt as visible as with that Internet facing DMZ.</P><P></P><P>I wonder if the PA-devices are "smart enough" to not perform server response inspection where this inspection wouldnt find something bad anyway (which on its own might be bad aswell if you enable IPS and it actually wont do as you think it does)?</P><P></P><P>Or for that matter what is disabled when you disable server response inspection? Could you for example enable inspection for the antivirus engine but disable it for the IPS - and if so, would you really gain something performancewise as quoting from the above pdf:</P><P></P><P>"</P><P>Regardless of which UTM features we enabled - intrusion prevention, antispyware, antivirus, or any combination of these - results were essentially the same as if we'd turned on just one such feature. Simply put, there's no extra performance cost, beyond the initial sharp drop in rates, for layering on multiple types of traffic inspection.</P><P>"</P><P></P><P>Edit: Changed some text above because disabling DSRI actually enables server response inspection :smileysilly:</P></BODY></HTML> Thu, 15 Nov 2012 08:35:04 GMT mikand 2012-11-15T08:35:04Z https://live.paloaltonetworks.com/t5/general-topics/tweaking-dsri/m-p/23574#M17189 <HTML><HEAD></HEAD><BODY><P>So I keep hearing that disabling DSRI will improve performance.&nbsp; I thought I read that most vendors do not even offer the option.</P><P></P><P>What are some guidelines for disabling DSRI?&nbsp; I understand that incoming to own internal server is probably ok, but what about disabling for some client security rules.&nbsp; Immediate examples are trusted sites like Netflix, X-box access, wii access, etc.</P><P></P><P>Thanks</P><P>Bob</P></BODY></HTML> Thu, 15 Nov 2012 02:52:13 GMT https://live.paloaltonetworks.com/t5/general-topics/tweaking-dsri/m-p/23574#M17189 BobW 2012-11-15T02:52:13Z https://live.paloaltonetworks.com/t5/general-topics/tweaking-dsri/m-p/23575#M17190 <HTML><HEAD></HEAD><BODY><P>I had to Google to find out what DSRI stands for:</P><P></P><P>DSRI = Disable Server Response Inspection (in case someone else wonders <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P><P></P><P>I found this document at the same time regarding performance figures:</P><P></P><P><A class="jive-link-external-small" href="http://www.commsolutions.com/uploads/PA-lNetwork%20World%20PA-5060%20Review.pdf">http://www.commsolutions.com/uploads/PA-lNetwork%20World%20PA-5060%20Review.pdf</A></P><P></P><P><SPAN>So yes if performance is an issue (and you cant get more PA-boxes to cluster as described in </SPAN><A class="jive-link-external-small" href="http://www.paloaltonetworks.com/literature/solution-briefs/tech-partners/arista.pdf">http://www.paloaltonetworks.com/literature/solution-briefs/tech-partners/arista.pdf</A><SPAN> ) you can enable DSRI (that is disabling server response inspection) for specific flows.</SPAN></P><P></P><P>However there are many cases where disabling DSRI (that is enable server response inspection) would be good security wise.</P><P></P><P>Clients browsing the Internet is probably the most obvious (this way we can detect infected clients (trying to infect servers) but also infected servers trying to infect clients). This including "trusted" sites.</P><P></P><P>But I think it can be healthy also for incoming traffic to your own internal servers. If you have DSRI enabled for those flows you wont detect (and possible block) if one of these servers gets infected. And the risk might be higher for that on internal networks because you often keep a track on patching (hopefully <span class="lia-unicode-emoji" title=":winking_face:">😉</span> the servers in DMZ (facing Internet) but internal servers tends to get sloppy after a while (or are appliances where it depends on how active the vendor is before patches are released). Probably because the threat isnt as visible as with that Internet facing DMZ.</P><P></P><P>I wonder if the PA-devices are "smart enough" to not perform server response inspection where this inspection wouldnt find something bad anyway (which on its own might be bad aswell if you enable IPS and it actually wont do as you think it does)?</P><P></P><P>Or for that matter what is disabled when you disable server response inspection? Could you for example enable inspection for the antivirus engine but disable it for the IPS - and if so, would you really gain something performancewise as quoting from the above pdf:</P><P></P><P>"</P><P>Regardless of which UTM features we enabled - intrusion prevention, antispyware, antivirus, or any combination of these - results were essentially the same as if we'd turned on just one such feature. Simply put, there's no extra performance cost, beyond the initial sharp drop in rates, for layering on multiple types of traffic inspection.</P><P>"</P><P></P><P>Edit: Changed some text above because disabling DSRI actually enables server response inspection :smileysilly:</P></BODY></HTML> Thu, 15 Nov 2012 08:35:04 GMT https://live.paloaltonetworks.com/t5/general-topics/tweaking-dsri/m-p/23575#M17190 mikand 2012-11-15T08:35:04Z https://live.paloaltonetworks.com/t5/general-topics/tweaking-dsri/m-p/23576#M17191 <HTML><HEAD></HEAD><BODY><P>Hello mikand</P><P></P><P>Would you check <SPAN style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #3b3b3b;"> </SPAN><A class="jive-link-external-small" href="http://www.paloaltonetworks.com/literature/solution-briefs/tech-partners/arista.pdf" style="font-family: 'Helvetica Neue', Helvetica, Arial, 'Lucida Grande', sans-serif; color: #006595;">http://www.paloaltonetworks.com/literature/solution-briefs/tech-partners/arista.pdf</A></P><P>site again please?</P><P></P><P>It can not connect website</P></BODY></HTML> Sat, 07 Sep 2013 13:18:13 GMT https://live.paloaltonetworks.com/t5/general-topics/tweaking-dsri/m-p/23576#M17191 SilverTiger 2013-09-07T13:18:13Z https://live.paloaltonetworks.com/t5/general-topics/tweaking-dsri/m-p/23577#M17192 <HTML><HEAD></HEAD><BODY><P>Here you got some updated links regarding Arista using PaloAlto:</P><P></P><P>Palo Alto Networks and Arista 100 Gbs Next Generation Firewall- Whitepaper</P><P><A href="http://www.aristanetworks.com/media/system/pdf/palo_alto_networks_arista.pdf" title="http://www.aristanetworks.com/media/system/pdf/palo_alto_networks_arista.pdf">http://www.aristanetworks.com/media/system/pdf/palo_alto_networks_arista.pdf</A></P><P></P><P>Palo Alto Networks and Arista Solution Brief</P><P><A href="http://bit.ly/138GEO2" title="http://bit.ly/138GEO2">http://bit.ly/138GEO2</A></P><P></P><P>Arista Scale with Symmetry Guide</P><P><A href="http://bit.ly/138GNBe" title="http://bit.ly/138GNBe">http://bit.ly/138GNBe</A></P><P></P><P>Arista EOS integration with Palo Alto Networks Next-generation Firewall for 100GbE: Webinar Recording</P><P><A href="http://www.aristanetworks.com/june-27-2013-webinar-recording" title="http://www.aristanetworks.com/june-27-2013-webinar-recording">http://www.aristanetworks.com/june-27-2013-webinar-recording</A></P><P></P><P>SDN Central, Arista Networks &amp; Palo Alto Networks -DemoFriday: Webinar Recording</P><P><A href="http://www.aristanetworks.com/en/sdn-central-july-2013-webinar-recording" title="http://www.aristanetworks.com/en/sdn-central-july-2013-webinar-recording">http://www.aristanetworks.com/en/sdn-central-july-2013-webinar-recording</A></P></BODY></HTML> Sun, 08 Sep 2013 21:32:47 GMT https://live.paloaltonetworks.com/t5/general-topics/tweaking-dsri/m-p/23577#M17192 mikand 2013-09-08T21:32:47Z