Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 14 replies
  • Subscribers 29 subscribers
  • Views 1438 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Web Proxy vs. DPI = partially slow vs. malfunctioning

rajuhn

Hello all,
first of all our config: XG210 HA (SFOS 18.5.1 MR-1 build326). We currently have the following problem:

Web Proxy off, DPI on: good performance, no noticeable limitations except for one application. The application is called WRIKE and is very important for us for QA and task management and therefore indispensable. Essentially it works in DPI mode, but it is not possible to pin attachments to a ticket and upload them to the web.

Web Proxy off: initially everything works without restrictions. After a while - "felt" each time from noon on - almost all internet dependent applications become very sluggish to the point of not working at all. Only a reboot of the cluster brings relief for a while.

HA probably has nothing to do with it, because I can reproduce these two statuses in HA and in stand-alone mode.

Could it perhaps be that the reason the application works in proxy mode is because 80 and 443 are handled transparently? And the performance collapse of the proxy is due to a specific overload that we have not yet detected? The proxy scans up to a file size of 30 MB, which is within a reasonable range according to the SOPHOS Guide.

Does anyone perhaps have an idea on this or a similar issue?

We have already opened a case at SOPHOS, but unfortunately very little to no support comes from here.

Thank you very much in advance for your support!



This thread was automatically locked due to age.
  • 0

    Hi,

    please display diagnostics for RAM and CPU usage.

    Ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0 in reply to rajuhn

    Thank you. When using dpi, have you reviewed the ssl/tls log to see what is failing?
    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

  • 0

    You could, if you have the creds for this application, exclude it from the decryption. Check if this application has a special Port or if this application has fixed IPs /DNS Records. Then exlude those DNS records from the decryption. 

    __________________________________________________________________________________________________________________

  • 0 in reply to rfcat_vk

    Thank you, Ian.
    I must confess in advance, I am not a proven SOPHOS crack.
    What I see with the proxy turned off is Google ads being rejected (see screenshot). Unfortunately, that's all I see with SSL/TLS. If I then activate the proxy again, these blockades no longer occur and the upload works.
    Regards Ingo

  • 0
    rajuhn said:
    HA probably has nothing to do with it, because I can reproduce these two statuses in HA and in stand-alone mode.

    Is this absolutely true? I only ask because I've seen some funky stuff that disappears when you break HA and use one box as cold standby. 

    ------------------------------------------------

    worlds number one free ICMP monitoring platform: https://pinescore.com

  • 0 in reply to LuCar Toni

    This would probably be an option to mask the problem, though according to the operator this application only works on 80 and 443. On top of that, even with the proxy on, I have decryption enabled as an option and the error I have with DPI still doesn't occur.
    It is not completely clear to me the behavior.

  • 0 in reply to Ryan Partington

    99% yes. Since I had heard in various forums the problems with HA, I have explicitly tested this a few times with HA and then stand alone. It does not seem to have any effect on the problem I described. However, I do not want to swear to it.

  • +1 in reply to rajuhn

    The Proxy (in firewall rule the right checkboxes) are overwriting the DPI Engine. So if you have a Firewall rule, which "calls" the legacy web proxy, it will overwrite your DPI for this traffic. Therefore, if you have an application, having a problem with DPI (which could be the case), the call of the web proxy could be a solid workaround. 

    __________________________________________________________________________________________________________________

  • 0 in reply to rajuhn

    Hi,

    pare you using decrypt and scan and if so have you installed the XG ca? Is the failure always with the same user?
    ian

    XG115W - v19.5.1 mr-1 - Home

    If a post solves your question please use the 'Verify Answer' button.

Cookie Information Banner