DotW: Using DSRI with the Palo Alto Networks firewall
Resolution
So excited to follow along as you get your Palo Alto Networks firewall up and running. After placing the firewall inline, some of you have reported performance issues with file transfers. Well, we can't abide any hit to your productivity and happiness, so come with us to the Community solution.
Community member clyde.franklin reported some performance issues after placing his Palo Alto Networks firewall inline. Several members jumped in the discussion with tips that could explain the slowness. Factors such as 'security profiles' and 'hardware limitations' were mentioned—these and other factors could explain this behaviour.
Member clyde.franklin confirmed they were using a PA-7050 with no security profiles. Later in the discussion, he himself came up with the solution to his problem by disabling server response inspection (DSRI).
A session on the firewall comprises two flows, client to server and server to client. The DSRI feature on the Palo Alto Networks firewall can be enabled to skip the inspection of the Server to Client flow.
Typically, DSRI is used in environments where internal servers are trusted and protected by the firewall. In these cases, content inspection can be configured for only client to server (internet users to internal servers) traffic using the DSRI option. By doing this, the Server to Client flow (internal servers to internet clients) is skipped after sufficient data has been inspected by the firewall to identify the applications running over HTTP. This option provides higher throughput when compared to full content inspection of the traffic, and is useful in overloaded environments with heavy inside server traffic.
An article explaining how DSRI can be used to improve performance can be found here:
Improving Performace of HTTP with DSRI
Cheers!
Kim