Advanced settings

Introduction

Bypass

The bypass feature disables the DPI engine so packets will not be processed by DPI. You can enable bypass when the CPU usage is high to guarantee device performance. By default, the DPI engine is enabled.

Activate

After you edit the policy and rule settings for DPI service modules, you must click Activate to validate the settings. The validation operation can cause temporary service disruptions. As a best practice, perform the operation after all DPI service policy and rule settings are complete.

Inspection coverage

You can choose an inspection mode depending on your preference and inspection coverage requirement. Supported inspection modes are:

·     High performance mode—Applicable to the scenarios that require high device performance. This mode improves the device performance while ensuring a certain inspection coverage. The maximum length is 32 Kilobytes for FTP, HTTP, SMB, NFS, and email streams, and the maximum file length for MD5 inspection is 32 Kilobytes.

·     Balanced mode—Applicable to most scenarios. This mode makes a tradeoff between the device performance and inspection coverage. The maximum length is 64 Kilobytes for FTP, HTTP, SMB, NFS, and email streams, and the maximum file length for MD5 inspection is 2048 Kilobytes.

·     Large coverage mode—Applicable to the scenarios that require large inspection coverage. This mode improves the inspection coverage at the cost of device performance. The maximum length is 128 Kilobytes for FTP, HTTP, SMB, NFS, and email streams, and the maximum file length for MD5 inspection is 5120 Kilobytes.

·     User-defined mode—Applicable to the scenarios that have specific requirements for inspection coverage and device performance. In this mode, you can set the following parameters for inspection of files transferred through individual protocols:

¡     The maximum data length that can be inspected in a packet.

¡     The maximum length for file inspection.

¡     The maximum file length for MD5 inspection.

Make sure the custom inspection settings for a protocol meet this requirement: Max file size ≤ max stream length ≤ max length for MD5 input.

DPI support for hot backup

Enable this feature on the hot backup member devices in dual-active mode for asymmetric-path traffic of DPI services to be processed correctly. This feature consumes system resources. As a best practice, enable this feature only when asymmetric-path traffic of DPI services exists.

Client IP identification

When a client uses a proxy to access servers, the value in the source IP address field will change. This feature enables the device to obtain the IP address of the originating client by inspecting specific fields of the request packets that have traveled through proxies.

Decompression settings

Use this feature to set the maximum data size and file layers that can be decompressed in a file to improve the DPI engine scanning efficiency.

·     Max data size for decompression—Set the maximum data size that can be decompressed in a file. With the upper limit reached, the remaining compressed file data will not be decompressed.

·     Max file layers for decompression—Set the maximum file layers that can be decompressed in a file. With the upper limit reached, the remaining file layers will not be decompressed. DPI engine will match the remaining compressed file with signatures.

Packet details

With this feature enabled, the device displays more HTTP packet details in WAF logs, including the response code in the response and the request header and body in the request.

Restrictions and guidelines

·     When bypass is enabled, the system does not process received packets by DPI. DPI-based services might also be interrupted. For example, security policies cannot control access to applications.

·     Activating configuration causes transient DPI service interruption. DPI-based services might also be interrupted. For example, security policies cannot control access to applications.