https://live.paloaltonetworks.com/t5/general-topics/dsri-on-ipsec-vpn-traffic/m-p/169362#M53818 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a></P><P>You're absolutely right. When the tunnel is already established, palo only sees jibberish where it is not able to check anything.</P><P>But there could be rare edge cases, while establishing a tunnel, a malformed response could be very dangerous, if there is a vulnerability in the vpn client software (not the first time something like that happens). A vulnerability like that could be detected by palo.</P><P>&nbsp;</P><P>Very theoretical, but ... <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 01 Aug 2017 17:15:06 GMT Remo 2017-08-01T17:15:06Z https://live.paloaltonetworks.com/t5/general-topics/dsri-on-ipsec-vpn-traffic/m-p/169309#M53811 <P>We have a rule allowing VPN traffic (IPSec) from our Guest environment. This traffic is non-decryptable. We would like to reduce CPU by disabling Server Response Inspection for this traffic? Do we lose anything from a security perspective if we do so? If there is a change in the application, will app-id still detect it?</P> Tue, 01 Aug 2017 15:37:30 GMT https://live.paloaltonetworks.com/t5/general-topics/dsri-on-ipsec-vpn-traffic/m-p/169309#M53811 LCMember1643 2017-08-01T15:37:30Z https://live.paloaltonetworks.com/t5/general-topics/dsri-on-ipsec-vpn-traffic/m-p/169351#M53815 <P>As you already wrote this traffic cannot be decrypted. So the only (very) little thing you or better say your guests loose from a security perspective is that your paloalto cannot protect your guests from vulnerabilities that can be exploited from vpn gateways to their clients. --&gt; as it is your guestnetwork, i don't see a reason that you need to protect them from malicious vpn gateways.</P><P>The firewall is still able to detect app changes, but only in the client2server traffic and no longer in server2client traffic.</P> Tue, 01 Aug 2017 16:38:49 GMT https://live.paloaltonetworks.com/t5/general-topics/dsri-on-ipsec-vpn-traffic/m-p/169351#M53815 Remo 2017-08-01T16:38:49Z https://live.paloaltonetworks.com/t5/general-topics/dsri-on-ipsec-vpn-traffic/m-p/169353#M53817 <P>I don't think you get any benefit as if Palo identifies application that is encrypted (like SSL) and you don't apply decyption policy it will let it through the firewall without trying to apply deep packet inspection.</P> Tue, 01 Aug 2017 16:49:13 GMT https://live.paloaltonetworks.com/t5/general-topics/dsri-on-ipsec-vpn-traffic/m-p/169353#M53817 Raido_Rattameister 2017-08-01T16:49:13Z https://live.paloaltonetworks.com/t5/general-topics/dsri-on-ipsec-vpn-traffic/m-p/169362#M53818 <P><a href="https://live.paloaltonetworks.com/t5/user/viewprofilepage/user-id/15603">@Raido_Rattameister</a></P><P>You're absolutely right. When the tunnel is already established, palo only sees jibberish where it is not able to check anything.</P><P>But there could be rare edge cases, while establishing a tunnel, a malformed response could be very dangerous, if there is a vulnerability in the vpn client software (not the first time something like that happens). A vulnerability like that could be detected by palo.</P><P>&nbsp;</P><P>Very theoretical, but ... <span class="lia-unicode-emoji" title=":winking_face:">😉</span></P> Tue, 01 Aug 2017 17:15:06 GMT https://live.paloaltonetworks.com/t5/general-topics/dsri-on-ipsec-vpn-traffic/m-p/169362#M53818 Remo 2017-08-01T17:15:06Z https://live.paloaltonetworks.com/t5/general-topics/dsri-on-ipsec-vpn-traffic/m-p/169363#M53819 <P>Agree.</P><P>I should be really desperate to turn DSRI on (read: firewall really overloaded and no way to get it upgraded).</P><P>Even if you host servers they might get compromised and with DSRI you don't identify if they start attacking others or website starts spreading viruses around.</P> Tue, 01 Aug 2017 17:24:45 GMT https://live.paloaltonetworks.com/t5/general-topics/dsri-on-ipsec-vpn-traffic/m-p/169363#M53819 Raido_Rattameister 2017-08-01T17:24:45Z