How to Improve Performance for Protocols like SMB and FTP Without Application Override

How to Improve Performance for Protocols like SMB and FTP Without Application Override

182360
Created On 09/26/18 13:48 PM - Last Modified 03/19/24 09:43 AM


Symptom


SMB and FTP file transfers generate a large amount of bi-directional traffic. SMB generates a reply packet for almost every data packet generated and is therefore very chatty. A Palo Alto Networks firewall will, by default, examine traffic in both directions from client-to-server (C2S) and from server-to-client (S2C). For these reasons, SMB and FTP file transfers through the firewall can be slow.

 

One of the ways of enhancing the performance for that traffic is by using application override to exclude layer 7 inspection and application identification.

 

If layer 7 inspection is needed and still the performance needs to be improved, check the 'Disable server response Inspection (DSRI)' option on the security policy to which the concerned traffic is hitting. This should only be enabled if the server is trusted. When the box for DSRI is checked, the firewall will only inspect the traffic from C2S and the file transfer rate will increase.

Resolution


To enable DSRI, go to Policies > Security > Actions on the WebUI:

Server_response_inspection

Once the policy is created, an icon will show that the DSRI option is checked for that security rule.
security_rule

 

owner: kadak
Other users also viewed:
Actions
  • Print
  • Copy Link

    https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClpfCAC&refURL=http%3A%2F%2Fknowledgebase.paloaltonetworks.com%2FKCSArticleDetail

Choose Language