Palo Alto Networks Knowledgebase: How to Improve Performance for Protocols like SMB and FTP Without Application Override
How to Improve Performance for Protocols like SMB and FTP Without Application Override
Created On 08/05/19 19:23 PM - Last Updated 08/05/19 19:48 PM
SMB and FTP file transfers generate a large amount of bi-directional traffic. SMB generates a reply packet for almost every data packet generated, and is therefore very chatty. A Palo Alto Networks firewall will, by default, examine traffic in both directions from client-to-server (C2S) and from server-to-client (S2C). For these reasons, SMB and FTP file transfers through the firewall can be slow.
One of the ways of enhancing the performance for that traffic is by using application override to exclude layer 7 inspection and application identification.
If layer 7 inspection is needed and still the performance needs to be improved, check the 'Disable server response Inspection (DSRI)' option on the security policy to which the concerned traffic is hitting. This should only be enabled if the server is trusted. When the box for DSRI is checked, the firewall will only inspect the traffic from C2S and the file transfer rate will increase.
To enable DSRI, go to Policies > Security > Actions on the WebUI:
Once the policy is created, an icon will show that the DSRI option is checked for that security rule.