How to Improve Performance for Protocols like SMB and FTP Without Application Override

How to Improve Performance for Protocols like SMB and FTP Without Application Override

203103
Created On 09/26/18 13:48 PM - Last Modified 07/22/25 05:09 AM


Objective


  • SMB and FTP file transfers generate a large amount of server to client (S2C) traffic that is subject to content inspection.
  • This traffic is dataplane resource intensive and can lead to reduced throughput and increased latency.
  • If excluding the traffic from layer 7 inspection via the use of application override is not viable in your environment, 'Disable Server Response Inspection' (DSRI) can be used instead.
  • DSRI excludes only the S2C traffic from inspection, meaning client to server (C2S) traffic is still subject to inspection.
  • DSRI is applied on a per security policy rule basis for granular control.

Environment


  • NGFW
  • Any PAN-OS

Procedure


  1. Identify the specific security policy rule that is allowing your SMB or FTP traffic.
Security policy that is allowed ftp and smb traffic
  1. Enable DSRI from the Actions tab.
Enable DSRI in Actions tab of Security Policy
  1. Verify that DSRI has been applied to the correct rule by checking the widgets under the Options column.
Security policy with DSRI widget
  1. Commit the changes.
 

Additional Information


  • Follow the principles of least privileged access by ensuring the security policy will only apply to servers that you trust.
  • DSRI will not effect client initiated uploads. If your workflow depends on large client uploads consider the use of application override instead.
  • Tips & Tricks: How to Create an Application Override
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpfCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language