How can I disable DPI and enable SPI engine in a SonicWall firewall?

10/14/2021 112 People found this article helpful 56,634 Views

Description

How to disable DPI and Enabled SPI engine in SonicWall UTM
Performance and protection go hand-in-hand for Next-Generation Firewalls (NGFWs). If organizations do not wants to sacrifice throughput and productivity for security. They might take decision to disable the DPI. Outdated firewalls pose a serious security risk to organizations since they fail to inspect data payload of network packets. Many vendors tout Stateful Packet Inspection (SPI) speeds only, but the real measure of security and performance is deep packet inspection throughput and effectiveness.

Resolution

Resolution for SonicOS 6.5

This release includes significant user interface changes and many new features that are different from the SonicOS 6.2 and earlier firmware. The below resolution is for customers using SonicOS 6.5 firmware.

SPI: Stateful packet inspection (SPI), which verified that the state of inbound and outbound traffic based upon state tables, and operated at layers 2, 3 and 4 of the OSI model.

DPI: Third-generation firewalls of the past decade have more processing power and broader capabilities, including deep packet inspection (DPI) of the entire packet payload, intrusion prevention, malware detection, gateway anti-virus, traffic analytics, application control, IPSec and SSL VPN. Unified Threat Management (UTM) represented the next trend in the evolution of the traditional firewall into a product that not only guards against intrusion, but also performs content filtering, data leakage protection, intrusion detection and anti-malware duties typically handled by multiple systems.

In SonicWall by default DPI engine will enabled and if you want to disable DPI service and enable SPI, following changes has to be made in SonicWall.

Disable dpi service and enable spi service.

Navigate to Manage |Security Configuration |Firewall Settings | Advanced Settings.
Under Connection - change the settings from DPI Connection to Maximum SPI connection.
And will request to Restart the SonicWall for the changes to take place.

after the restart, SonicWall will be running on SPI engine.

Resolution for SonicOS 6.2 and Below

The below resolution is for customers using SonicOS 6.2 and earlier firmware. For firewalls that are generation 6 and newer we suggest to upgrade to the latest general release of SonicOS 6.5 firmware.

SPI: Stateful packet inspection (SPI), which verified that the state of inbound and outbound traffic based upon state tables, and operated at layers 2, 3 and 4 of the OSI model.

DPI: Third-generation firewalls of the past decade have more processing power and broader capabilities, including deep packet inspection (DPI) of the entire packet payload, intrusion prevention, malware detection, gateway anti-virus, traffic analytics, application control, IPSec and SSL VPN. Unified Threat Management (UTM) represented the next trend in the evolution of the traditional firewall into a product that not only guards against intrusion, but also performs content filtering, data leakage protection, intrusion detection and anti-malware duties typically handled by multiple systems.

In SonicWall by default DPI engine will enabled and if you want to disable DPI service and enable SPI, following changes has to be made in SonicWall.

Disable dpi service and enable spi service.

Navigate to Firewall settings | Advanced, under connection ,change the settings from DPI Connection to Maximum SPI connection.
SonicWall will prompt with the following message .
And will request to restart the SonicWall for the changes to take place.

once after the restart, SonicWall will be running on SPI engine.