How do you disable Layer 7 inspection?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

How do you disable Layer 7 inspection?

L2 Linker

If I wanted no layer 7 inspection for a particular IP at a certain port - how can I do that without Application override? Thank you.

6 REPLIES 6

L7 Applicator

You use application override.  There's no other way to completely disable L7 inspection.  (There are some ways to potentially minimize L7, but app-override is the correct way to do it).    

 

What scenario/environment requires you to disable L7 without using an application override?  

The deal is that our IT group is experiencing choppy video when that traffic goes out the PAN but if they run a video conference out of MiFi there's no chop despite even worse latency and max packet loss. I'm trying to rule in or rule out the PAN as a possible culprit and thus trying to let the traffic move through the device with as little processing as possible.

 

I was going to use Application Over-ride when one of our internal people suggested this was doable with just a security policy. If that's mistaken or if you have any other approach to minimizing the impact of real time packet flow through the PAN I'm all ears.

@Shuttermed,

Your internal people were likely confusing the ability with creating a policy with 'any' application and specifying services as an option to turn off L7, but it doesn't do that. The only way to truly bypass L7 is application-override. 

A possibly bigger question would be what application your actually having issues with, if you provide that we may be able to actually help address the root issue. 

The application is Skype for Business Online video conferencing. When egressing the PAN the video his herky jerky and hard to watch. In contrast over the highlatency and lossy MiFi the playback was nice and smooth. Testing this without the PAN is difficult for logisitcal reasons and security reasons. So my goal is to make the PAN as much of a passive factor as possible. But if you have an ideal on making the Skype video better - yes please!

Hello @Shuttermed,

Do you have ssl decryption enabled? What about QoS policies? Is the interface utilization super high? Probably start with the logs to see if anything is getting blocked. I know we had poor audio on our lync/skpe calls internally until i enabled QoS all over.

 

Regards,

The utilization on the PAN 5060 is low - peaks at 600Mbps on a 10Gbps interface.

 

QoS is not currently setup. 

 

I don't see anything blocked in the traffic flow. The traffic is identified as ms-lync-online

at port 443. 

  • 10209 Views
  • 6 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!