Cisco Cisco Firepower Management Center 4000
7-8
FireSIGHT System User Guide
Chapter 7 Setting Up an IPS Device
Configuring Inline Sets
Note that you cannot enable this option and strict TCP enforcement on the same inline set.
Propagate Link State
Supported Devices:
Series 2, Series 3
Link state propagation is a feature for inline sets configured in bypass mode so both pairs of an inline
set track state.
set track state.
Link state propagation automatically brings down the second interface in the inline interface pair when
one of the interfaces in an inline set goes down. When the downed interface comes back up, the second
interface automatically comes back up, also. In other words, if the link state of one interface changes,
the link state of the other interface changes automatically to match it. Link state propagation is available
for both copper and fiber configurable bypass interfaces.
one of the interfaces in an inline set goes down. When the downed interface comes back up, the second
interface automatically comes back up, also. In other words, if the link state of one interface changes,
the link state of the other interface changes automatically to match it. Link state propagation is available
for both copper and fiber configurable bypass interfaces.
Note
When link state propagation triggers, fiber inline sets configured as fail-open on
Series 2 devices (except
those on 3D9900s) activate hardware bypass mode. In this case, the interface cards involved do not come
out of bypass automatically; you must bring them out of bypass mode manually. For more information
about fiber interfaces in inline sets and hardware bypass, see
out of bypass automatically; you must bring them out of bypass mode manually. For more information
about fiber interfaces in inline sets and hardware bypass, see
Link state propagation is especially useful in resilient network environments where routers are
configured to reroute traffic automatically around network devices that are in a failure state.
configured to reroute traffic automatically around network devices that are in a failure state.
You cannot disable link state propagation for inline sets configured on clustered devices.
Note that virtual devices and Sourcefire Software for X-Series do not support link state propagation.
Transparent Inline Mode
Transparent Inline Mode option allows the device to act as a “bump in the wire” and means that the
device forwards all the network traffic it sees, regardless of its source and destination. Note that you
cannot disable this option on Series 3 or 3D9900 devices.
device forwards all the network traffic it sees, regardless of its source and destination. Note that you
cannot disable this option on Series 3 or 3D9900 devices.
Strict TCP Enforcement
Supported Devices:
Series 3
To maximize TCP security, you can enable strict enforcement, which blocks connections where the
three-way handshake was not completed. Strict enforcement also blocks:
three-way handshake was not completed. Strict enforcement also blocks:
•
non-SYN TCP packets for connections where the three-way handshake was not completed
•
non-SYN/RST packets from the initiator on a TCP connection before the responder sends the
SYN-ACK
SYN-ACK
•
non-SYN-ACK/RST packets from the responder on a TCP connection after the SYN but before the
session is established
session is established
•
SYN packets on an established TCP connection from either the initiator or the responder
Note that Series 2, virtual devices, and Sourcefire Software for X-Series do not support this option. In
addition, you cannot enable this option and tap mode on the same inline set.
addition, you cannot enable this option and tap mode on the same inline set.
To configure advanced inline set options:
Access:
Admin/Network Admin
Step 1
Select
Devices > Device Management
.
The Device Management page appears.