DPI is hardware offloaded and does not drag your CPU down as much on a busy router. The number of categories you can block are limited though:
Business TopSites-Games
Bypass-Proxies-and-Tunnels TopSites-Health
File-Transfer TopSites-Home
Games TopSites-KidsnTeens
Instant-messaging TopSites-News
Mail-and-Collaboration TopSites-Recreation
P2P TopSites-Reference
Remote-Access-Terminals TopSites-Regional
Security-Update TopSites-Science
Social-Network TopSites-Shopping
Stock-Market TopSites-Society
Streaming-Media TopSites-Sports
TopSites-Adult Voice-over-IP
TopSites-Arts Web
TopSites-Business Web-IM
TopSites-Computers
Most notable of the categories I like to use are the Bypass-Proxies-and-Tunnels and P2P. With making a separate firewall rule set for these two you can keep casual users from hopping on your wifi and downloading illegally data you would be left holding the bag for. By Turing on the DPI feature you can also see what protocols and categories are most used on your network by your top talkers.
With the below lines of configuration I can say it successfully has caught and stopped users from downloading torrents on a particular network I manage.
set system traffic-analysis dpi enable
set system traffic-analysis export enable
set firewall name DROP_SITES default-action accept
set firewall name DROP_SITES description "Drop Junk"
set firewall name DROP_SITES enable-default-log
set firewall name DROP_SITES rule 10 action drop
set firewall name DROP_SITES rule 10 application category P2P
set firewall name DROP_SITES rule 10 log enable
set firewall name DROP_SITES rule 10 description ‘P2P’
set firewall name DROP_SITES rule 15 action drop
set firewall name DROP_SITES rule 15 application category Bypass-Proxies-and-Tunnels
set firewall name DROP_SITES rule 15 log enable
set firewall name DROP_SITES rule 15 description Bypass-Proxies-and-Tunnels
set interfaces ethernet eth0 firewall in name DROP_SITES
After setting it all up you'll be able to see the rules stats counting up as traffic is passed. Logged drops are put into the default /var/log/messages log. As it is put into the general log I strongly suggest you turn compression on for logrotated. Otherwise/var/log will fill up quickly lest you send all of your logs to a remote server.
set system traffic-analysis export enable
set firewall name DROP_SITES default-action accept
set firewall name DROP_SITES description "Drop Junk"
set firewall name DROP_SITES enable-default-log
set firewall name DROP_SITES rule 10 action drop
set firewall name DROP_SITES rule 10 application category P2P
set firewall name DROP_SITES rule 10 log enable
set firewall name DROP_SITES rule 10 description ‘P2P’
set firewall name DROP_SITES rule 15 action drop
set firewall name DROP_SITES rule 15 application category Bypass-Proxies-and-Tunnels
set firewall name DROP_SITES rule 15 log enable
set firewall name DROP_SITES rule 15 description Bypass-Proxies-and-Tunnels
set interfaces ethernet eth0 firewall in name DROP_SITES
After setting it all up you'll be able to see the rules stats counting up as traffic is passed. Logged drops are put into the default /var/log/messages log. As it is put into the general log I strongly suggest you turn compression on for logrotated. Otherwise/var/log will fill up quickly lest you send all of your logs to a remote server.
Very nice blog... You nicely explain deep packet inspection. Deep packet inspection is an advanced method of examining and managing network traffic. Thanks for sharing
ReplyDelete