So I keep hearing that disabling DSRI will improve performance. I thought I read that most vendors do not even offer the option.
What are some guidelines for disabling DSRI? I understand that incoming to own internal server is probably ok, but what about disabling for some client security rules. Immediate examples are trusted sites like Netflix, X-box access, wii access, etc.
I had to Google to find out what DSRI stands for:
DSRI = Disable Server Response Inspection (in case someone else wonders ;-)
I found this document at the same time regarding performance figures:
So yes if performance is an issue (and you cant get more PA-boxes to cluster as described in http://www.paloaltonetworks.com/literature/solution-briefs/tech-partners/arista.pdf ) you can enable DSRI (that is disabling server response inspection) for specific flows.
However there are many cases where disabling DSRI (that is enable server response inspection) would be good security wise.
Clients browsing the Internet is probably the most obvious (this way we can detect infected clients (trying to infect servers) but also infected servers trying to infect clients). This including "trusted" sites.
But I think it can be healthy also for incoming traffic to your own internal servers. If you have DSRI enabled for those flows you wont detect (and possible block) if one of these servers gets infected. And the risk might be higher for that on internal networks because you often keep a track on patching (hopefully ;-) the servers in DMZ (facing Internet) but internal servers tends to get sloppy after a while (or are appliances where it depends on how active the vendor is before patches are released). Probably because the threat isnt as visible as with that Internet facing DMZ.
I wonder if the PA-devices are "smart enough" to not perform server response inspection where this inspection wouldnt find something bad anyway (which on its own might be bad aswell if you enable IPS and it actually wont do as you think it does)?
Or for that matter what is disabled when you disable server response inspection? Could you for example enable inspection for the antivirus engine but disable it for the IPS - and if so, would you really gain something performancewise as quoting from the above pdf:
Regardless of which UTM features we enabled - intrusion prevention, antispyware, antivirus, or any combination of these - results were essentially the same as if we'd turned on just one such feature. Simply put, there's no extra performance cost, beyond the initial sharp drop in rates, for layering on multiple types of traffic inspection.
Edit: Changed some text above because disabling DSRI actually enables server response inspection :smileysilly:
Here you got some updated links regarding Arista using PaloAlto:
Palo Alto Networks and Arista 100 Gbs Next Generation Firewall- Whitepaper
Palo Alto Networks and Arista Solution Brief
Arista Scale with Symmetry Guide
Arista EOS integration with Palo Alto Networks Next-generation Firewall for 100GbE: Webinar Recording
SDN Central, Arista Networks & Palo Alto Networks -DemoFriday: Webinar Recording
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!