since we have to rethink our DPI Allowlist with the latest 2511.1.1.3 update, I am looking for some recommendations or advice here.
Currently we have several Microsoft URLs in our manual DPI WhiteList but I think this is not the way to go as it creates DLP loopholes.
In your DPI-explanation video a few days ago you also mention that the DPI Bypass feature is the main solution for this case. I am aware that this is really company-specific because everyone uses different software and websites, but do you have a generel recommendation on how to set up the DPI Bypass?
I don’t want to validate any website certification with EPP. Can I just turn off “Peer certificate validation” or do I have some other downsides with this option?
We are using windows only and relatively common office programs like MS Office, Teams, Outlook, Sharepoint… Do you have any recommendation on how to set up the DPI Bypass here?
If a website gets DPI bypassed → the inspection and block of a file-upload is still working then, right? Or is this site then completely whitelisted of any upload?
I understand DPI Bypass feature is not intended for bypass or whitelisting, but rather as a feature to “reduce crashes or issues.”
It’s difficult to recommend the DPI Bypass feature, as it varies widely depending on the user, the network configuration used by Office, and third-party security software.
Lastly, I think that validate any website certification and DPI Bypass have little or no correlation.
yeah I know. Ok I thought so that it is hard to recommend something here.
I am aware that the certificate validation has nothing(little) to do with DPI Bypass. Maybe you can still anwer these 2 questions:
I don’t want to validate any website certification with EPP. Can I just turn off “Peer certificate validation” or do I have some other downsides with this option?
If a website gets DPI bypassed → the inspection and block of a file-upload is still working then, right? Or is this site then completely whitelisted of any upload?
Indeed this can be a tricky question but we need to make use of the existing features.
My first question to narrow it down and explain all situations is: why are the URLs in your DPI allowlist to begin with? is it because:
a) dpi is breaking the connection? if so, how is it breaking it:
a.1) is throwing a cert validation error?
a.2) anything else like session timeouts, connection resets, etc
b) or are you doing it because you want to actually allow sensitive file transfers to those webpages.
If your answer is a1 - if you get a cert validation error when accessing the webpage then you can completely turn off the peer cert validation. keep in mind that this will never validate any certs anymore.
if your answer is a2 - enable dpi bypass with all of its sub-options. then validate if the connection breaks again. if the connection does not longer break, check your “content aware report” logs and look for the reason of DPI bypass of why the connection was bypassed. if you want then you can go and disable the rest of the bypass reasons and only leave ther relvant ones on. Of course, if the connection still breaks, while all dpi bypass options are on, then your only option is to add the url to an allowlist
And of course if you answer is b, then simply add the url to the dpi allowlist and thats about it.