Disable DPI selection missing in firewall access rules

Hi Mark,

SonicWall NSA 250 router. Just updated firmware to SonicOS Enhanced 5.9.1.10-1o.

I'd strongly recommend replacing this unit and upgrading to a TZ500/600 since your device is pretty much EOL (End of Life) by 8/31/2018 and a TZ500 or TZ600 is so much more robust in throughput and security breadth. Technically that is the date for LRM (Limited Retirement Mode) but I consider LRM to be EOL since they will stop all development and support with the exception of critical bugs; you would not receive critical security improvements such as DPI-SSL (I don't believe 5.9 provides that, 6.2.7 was the release verison), support for TLS1.3 or updates that overcome now-weak built-in ciphers to the SonicOS such as insecure ciphers RC4 and SHA1 (none of which would pass any competent security audit). Regardless, I'd upgrade to the very latest SonicOS they will allow for that device...if they have 6.2 install it if you can! (backup setting first obviously.)

Have DPI enabled on router, not concerned with DPI-SSL. Am setting up a new Firewall access rule and need to avoid DPI for that rule.

You should be running DPI (without question) and DPI-SSL and you should be concerned with DPI-SSL since over 72% of the Internet traffic is encrypted. Almost all attacks as of late are utilizing encryption for delivery and payload. If the packets can't be inspected via encryption there is nothing to stop the attacks.

Am setting up a new Firewall access rule and need to avoid DPI for that rule.

You should not ever need to do this...it jeopardizes the integrity of your security. This option only exists for very rare cases where you actually are forced to sacrifice security for productivity (bandwidth), in which case again you should be upgrading without question. SPI was a technology developed in 1996...it needs to stay there! Think about the complexities in 1996 vs today's threat complexities!

When setting up these rules, under the 'Advanced' tab in the setup for the rule, there should be a checkbox 'Disable DPI' so that rule is excluded from DPI if desired.... in my situation this new rule is related to Skype and maybe Office365 and detection of EKE, encrypted key exchange... due to Skype... a supposed way to stop the detection (and many many log entries), is to create address objects for certain Skype FQDNs and IPs and then add to an address group, then create the firewall access rule per instructions and in Advanced select 'Disable DPI'....
'Disable DPI' checkbox is absent.... for other access rules I have created in the past - its missing in all of them too. This is the first access rule I have needed to disable DPI in... DPI IS enabled (versus SPI)...  I cannot find an answer Googling - not even close. URL for this rule creation:

The KB article is a little odd in that first off DPI is enabled by default so I don't understand when people with have issue after enabling DPI unless they are not following Security Best Practices! This is a viable option but it is a lot of unnecessary work IMO and it requires SonicOS 6.2+.

I would recommend either two options:

Either will resolve your problem without sacrificing your network's security. Most of our clients and our own firm run Skype for Business and have implemented option "a" without any issues.

Let me know if you have any questions!

Thank you BST. Just a quick response to your input above - I'll certainly use your advice when I get a moment later.
Yes. I have a number of customers using the NSA 250 and am now buying the TZ600 to replace as I can. These are businesses with up to 50 users but mostly under 10. Just a note, a couple customers - we bought the NSA in the last few years and am going to try and hold onto it for another year or so... I understand all you are saying about being obsolete, and I will look at moving current SonicWall licensing from them to the better current routers as I go.
Just wanted any reader not to confuse my DPI issue with DPI-SSL.
I may be wrong but I had found app control turned off...(hmmm)  I turned it on and this all started... so yeah DPI was and is on... we don't need to dissect this app control involvement until I dig into it more if needed. I get logs from customers routers daily and I have (2) customers routers now just sending logs every 30 minutes... looking to stop this.
But at the same time - if its something like Skype, legit, that uses the same means of data transfer as some malicious sources... I want to be able to preserve Skype traffic yet keep protection up for the others that fall into the same category...
I will look at your suggestions and act on this a little later and get back to you. Will review best practices as well.
Thanks again!

You are welcome. Let me know if you have any other questions!

So, I took your suggestion: a) Exclude the Skype networks from the specific App Control object Proxy-Access > Encrypted Key Exchange > TCP Random Encryption(Skype,UltraSurf,Emule), ID: 5, This customer too uses Skype for the office users. We have them on the X2 interface - their LAN. I excluded the X2 Subnet for the network and for users I excluded the Trusted Users (we have L2TP VPN on the router with special usernames in trusted users). I do need to review best practices - I did a while ago but changes have been made since to the router and I want to make sure I am covering things correctly.
You mentioned trying to load OS 6.2 on this gen 5 appliance. There are no downloads for OS6 offered - just the OS5.... are you suggesting that I could perhaps load OS 6.2, (now at 6.5 I believe), on the gen 5 device?

Yes BST - the suggestion did the trick. Thank You!  I will close the case after I get a reply to the OS question above.