Web Proxy vs DPI

Hi,

assuming you don't have any fields ticked and allow all, the raffia will go through dpi engine.

ian

Hello Madni Malik,

Thank you for reaching out to the community, by default DPI engine will be used but if you enable the option "Use web proxy instead of DPI engine" then web proxy will be used. DPI engine detects and filters HTTP and SSL/TLS traffic on any port. Web proxy transparently handles traffic only on TCP ports 80 and 443.

thanks Vivek,

my question was i configure DPI on firwall rule, end user condfigured web proxy (192.68.x.x with port 8080 , this ip an port is sophos firewall) then this traffic will also entertained by DPI engine???? please confirm

If DPI is active then DPI will be in the picture.

But you can continue to use web proxy in direct mode by configuring the browsers on client devices.

You can use direct proxy mode even if you don't select Use web proxy instead of DPI engine. To use direct proxy mode, you must configure clients to use Sophos Firewall in their proxy settings. For information about using Sophos Firewall as a direct web proxy, go to Web proxy configuration in Web > General settings.

Hello;

@Vivek: I think the OP was asking, if he could leave the port on the client machine as it was before, when switching over to DPI and this will be catched by the engine or not..

Generally Speaking: DPI Engine means, the firewall will work in the Stream based approach. It will pickup the traffic on Port 443 and decrypt it. Leave the decrypted part to the proxy to decide, if blocked or not.

Direct/Standard Proxy on Port 8080 is not a DPI Engine based traffic. It means, the web proxy directly will pick up the traffic, not the DPI Engine. It will not leverage on the advantages of DPI (Decrypt TLS1.3, performance increase etc.). 

By default DPI is active, so I believe it should !!

Let me see if I am interpreting this correctly? If you do not have any rules using the web proxy and a user enables the proxy in their browser the firewall will pass the traffic with no restrictions?
ian

No. Without a rule, it will not be allowed. It is about the way to interact with the proxy.