Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 31 subscribers
  • Views 3866 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v18 DPI TLS Inspection problems

Bill Roland

I finally upgraded my production XG210 firewall to v18 MR1 about a week ago. I turned on the new DPI engine as part of that.  Since then I have receiving sporadic but increasing complaints about "the internet" being slow and sluggish.  Some of it I was able to determine (via the SSL/TLS Control panel) was due to the decryption profile being a little too aggressive so I created a new decryption profile somewhere between max compatibility and block insecure to alleviate that.   Today it came to a head because the system we use (all web based) for payroll was so slow just going from one page to the next it was practically unusable.  Of course the logs for TLS/SSL Inspection show no problems at all.  On a whim I changed the firewall rule back to using the web proxy engine and boom, the problem disappeared immediately.  

So my question is, does anybody else use this in large scale production?  Have you encountered this behavior?  With the provided logging I can't see any problems being reported and I can't just take a daily poll asking people if the sites they're visiting are slow so I can add them to an exception list.  I mean this site is a plain web based portal, there's nothing fancy or magical about it that DPI should be choking on.  

Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Bill,

    Thank you for contacting the Sophos Community.

    Can you try disabling relay_invalid_http_traffic from the backend.

    It should be off but please confirm:

    console> show http_proxy
    HTTP add_via_header: on
    HTTP core_dump: off
    HTTP relay_invalid_http_traffic: off
    HTTP connect_timeout: 60
    HTTP tunnel_timeout: 300
    HTTP client_timeout: 60
    HTTP response_timeout: 60
    HTTP proxy_tlsv1_0: on
    HTTP captive_portal_tlsv1_0: on
    HTTP captive_portal_x_frame_options: off
    HTTP block_proxy_loop: off
    HTTP disable_tls_url_categories: off

    To turn it off if it is on run 

    console> set http_proxy relay_invalid_http_traffic off

    If it is disable and you are able to reproduce the issue, please open a Support Case and send me the Case ID.

    Regards,

  • 0 in reply to emmosophos

    Thanks for that.  In my searches through the forums and KB I encountered a post about this.  Mine was turned on (although I have never messed with this setting previously).  I turned it off.  

    I also think that setting the option in the GUI to downgrade TLS 1.3 to 1.2 may also be part of it.  I have made the changes and re-set the firewall policy in question to use DPI instead of web proxy.  We will see tomorrow if that makes any difference.

Reply
  • 0 in reply to emmosophos

    Thanks for that.  In my searches through the forums and KB I encountered a post about this.  Mine was turned on (although I have never messed with this setting previously).  I turned it off.  

    I also think that setting the option in the GUI to downgrade TLS 1.3 to 1.2 may also be part of it.  I have made the changes and re-set the firewall policy in question to use DPI instead of web proxy.  We will see tomorrow if that makes any difference.

Children
No Data