Palo Alto Networks Knowledgebase: Improving Performance of HTTP with DSRI

Improving Performance of HTTP with DSRI

8790
Created On 02/07/19 23:57 PM - Last Updated 02/07/19 23:57 PM
Policy
Resolution

Overview

A session on the firewall comprises two flows. Client to Server and Server to Client. The DSRI (Disable Server Response Inspection) feature on the Palo Alto Networks firewall can be enabled to skip the inspection of the Server to Client flow.

Details

Typically DSRI is used in environments where internal servers are trusted and protected by the firewall. In these cases, content inspection can be configured for only client to server (internet users to internal servers) traffic using the DSRI option. By doing this, the Server to Client flow (internal servers to internet clients) is skipped after sufficient data has been inspected by the firewall to identify the applications running over HTTP. This option provides higher throughput when compared to full content inspection of the traffic and is useful in overloaded environments with heavy inside server traffic.

DSRI with App-Override policy (HTTP-NSRI) can be used to improve performance in environments with small size packets.

Note: NSRI stands for No Server Response Inspection

The differences between the methods are:

  • APP-Override policy alone
    Both the Client to Server and Server to Client flow is skipped from content ( AppID + Threats ) inspection by the firewall.
  • DSRI alone
    The Server to Client flow is skipped from inspection after a certain amount of data is inspected by the firewall in order to identify the application. This can typically be used in environments with high traffic load to internal trusted web-servers and content inspection is required for http requests only.
  • DSRI enabled along with App-Override policy (select application HTTP-NSRI)
    Client to Server flow content inspection is done, but complete Server to Client flow is skipped from inspection and thus the traffic is identified as HTTP-NSRI. This can typically be used in environments with high traffic load to internal trusted web-servers with small packet sizes and content inspection is required for http requests only.

Steps

The following steps describe how to apply DSRI along with App-Override policy.

  1. Configure an HTTP-NSRI Override policy. An example is shown below:
    http-nsri_1.JPG.jpg
  2. Create a security policy to allow the HTTP-NSRI application.
    http-nsri.JPG.jpg
  3. Check the "Disable Server Response Inspection" option for the security policy created in step 2.
    http-nsri_2.JPG.jpg

Details of the HTTP-NSRI application can be found by performing a search on the Objects > Applications page of the web UI (example).

http-nsri_3.JPG.jpg

owner: sdurga



Attachments
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClV9CAK&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Attachments
Choose Language