Improving Performance of HTTP with DSRI
135334
Created On 09/25/18 19:10 PM - Last Modified 10/12/23 10:00 AM
Symptom
A session on the firewall comprises two flows. Client to Server and Server to Client. The DSRI (Disable Server Response Inspection) feature on the Palo Alto Networks firewall can be enabled to skip the inspection of the Server to Client flow.
Environment
- Any NGFW
Cause
Typically DSRI is used in environments where internal servers are trusted and protected by the firewall. In these cases, content inspection can be configured for only client-to-server (internet users to internal servers) traffic using the DSRI option. By doing this, the Server-to-Client flow (internal servers to internet clients) is skipped after sufficient data has been inspected by the firewall to identify the applications running over HTTP. This option provides higher throughput when compared to full content inspection of the traffic and is useful in overloaded environments with heavy inside server traffic.
DSRI with App-Override policy (HTTP-NSRI) can be used to improve performance in environments with small-size packets.
Note: NSRI stands for No Server Response Inspection
Resolution
The differences between the methods are:
- APP-Override policy alone
Both the Client to Server and Server to Client flow is skipped from content ( AppID + Threats ) inspection by the firewall. - DSRI alone
The Server-to-client flow is skipped from inspection after a certain amount of data is inspected by the firewall in order to identify the application. This can typically be used in environments with high traffic load to internal trusted web-servers and content inspection is required for http requests only. - DSRI enabled along with App-Override policy (select application HTTP-NSRI)
Client to Server flow content inspection is done, but complete Server to Client flow is skipped from inspection and thus the traffic is identified as HTTP-NSRI. This can typically be used in environments with high traffic load to internal trusted web-servers with small packet sizes and content inspection is required for http requests only.
Steps
The following steps describe how to apply DSRI along with the App-Override policy.
- Configure an HTTP-NSRI Override policy. An example is shown below:
- Create a security policy to allow the HTTP-NSRI application.
- Check the "Disable Server Response Inspection" option for the security policy created in step 2.
Details of the HTTP-NSRI application can be found by performing a search on the Objects > Applications page of the web UI (example).
owner: sdurga