Thread Info
  • State Not Answered
  • +2 person also asked this people also asked this
  • Locked Locked
  • Replies 9 replies
  • Subscribers 31 subscribers
  • Views 3873 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

XG v18 DPI TLS Inspection problems

Bill Roland

I finally upgraded my production XG210 firewall to v18 MR1 about a week ago. I turned on the new DPI engine as part of that.  Since then I have receiving sporadic but increasing complaints about "the internet" being slow and sluggish.  Some of it I was able to determine (via the SSL/TLS Control panel) was due to the decryption profile being a little too aggressive so I created a new decryption profile somewhere between max compatibility and block insecure to alleviate that.   Today it came to a head because the system we use (all web based) for payroll was so slow just going from one page to the next it was practically unusable.  Of course the logs for TLS/SSL Inspection show no problems at all.  On a whim I changed the firewall rule back to using the web proxy engine and boom, the problem disappeared immediately.  

So my question is, does anybody else use this in large scale production?  Have you encountered this behavior?  With the provided logging I can't see any problems being reported and I can't just take a daily poll asking people if the sites they're visiting are slow so I can add them to an exception list.  I mean this site is a plain web based portal, there's nothing fancy or magical about it that DPI should be choking on.  

Thanks.



This thread was automatically locked due to age.
Parents
  • 0

    Hello Bill,

    Thank you for contacting the Sophos Community.

    Can you try disabling relay_invalid_http_traffic from the backend.

    It should be off but please confirm:

    console> show http_proxy
    HTTP add_via_header: on
    HTTP core_dump: off
    HTTP relay_invalid_http_traffic: off
    HTTP connect_timeout: 60
    HTTP tunnel_timeout: 300
    HTTP client_timeout: 60
    HTTP response_timeout: 60
    HTTP proxy_tlsv1_0: on
    HTTP captive_portal_tlsv1_0: on
    HTTP captive_portal_x_frame_options: off
    HTTP block_proxy_loop: off
    HTTP disable_tls_url_categories: off

    To turn it off if it is on run 

    console> set http_proxy relay_invalid_http_traffic off

    If it is disable and you are able to reproduce the issue, please open a Support Case and send me the Case ID.

    Regards,

  • 0 in reply to emmosophos

    I'm still seeing performance issues.  Whenever I encounter them they seem to be associated with the error in the logs: Dropped due to TLS engine error: FLOW_TIMEOUT[5]

     

    I do not know what this error means.  I am reverting back to the web proxy because the new DPI is just too unpredictable.  

  • 0 in reply to Bill Roland

    Hello Bill,

    Thank you for the update, a question does the Action in the SSL/TLS inspection rule that you created is set to Decrypt or Don't Decrypt?

    Regards,

  • 0 in reply to emmosophos

    Hi,

    I have the same issue with MR1 Build 396 and SSL/TLS.

    "Do not decrypt" policy doesn't work.

     

    best regards

Reply Children