DSRI on IPSec/VPN traffic

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

DSRI on IPSec/VPN traffic

L1 Bithead

We have a rule allowing VPN traffic (IPSec) from our Guest environment. This traffic is non-decryptable. We would like to reduce CPU by disabling Server Response Inspection for this traffic? Do we lose anything from a security perspective if we do so? If there is a change in the application, will app-id still detect it?

4 REPLIES 4

L7 Applicator

As you already wrote this traffic cannot be decrypted. So the only (very) little thing you or better say your guests loose from a security perspective is that your paloalto cannot protect your guests from vulnerabilities that can be exploited from vpn gateways to their clients. --> as it is your guestnetwork, i don't see a reason that you need to protect them from malicious vpn gateways.

The firewall is still able to detect app changes, but only in the client2server traffic and no longer in server2client traffic.

I don't think you get any benefit as if Palo identifies application that is encrypted (like SSL) and you don't apply decyption policy it will let it through the firewall without trying to apply deep packet inspection.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011

@Raido_Rattameister

You're absolutely right. When the tunnel is already established, palo only sees jibberish where it is not able to check anything.

But there could be rare edge cases, while establishing a tunnel, a malformed response could be very dangerous, if there is a vulnerability in the vpn client software (not the first time something like that happens). A vulnerability like that could be detected by palo.

 

Very theoretical, but ... 😉

Agree.

I should be really desperate to turn DSRI on (read: firewall really overloaded and no way to get it upgraded).

Even if you host servers they might get compromised and with DSRI you don't identify if they start attacking others or website starts spreading viruses around.

Enterprise Architect, Security @ Cloud Carib Ltd
Palo Alto Networks certified from 2011
  • 2091 Views
  • 4 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!