Cisco Cisco Firepower Management Center 4000
7-9
FireSIGHT System User Guide
Chapter 7 Setting Up an IPS Device
Configuring Inline Sets
Step 2
Next to the device where you want to edit the inline set, click the edit icon (
).
The Interfaces tab appears.
Step 3
Click
Inline Sets
.
The Inline Sets tab appears.
Step 4
Next to the inline set you want to edit, click the edit icon (
).
The Edit Inline Set pop-up window appears.
Step 5
Click
Advanced
.
The Advanced tab appears.
Step 6
Optionally, select
Tap Mode
to enable tap mode on the inline interfaces of Series 3 and 3D9900 devices.
Note that virtual devices, Sourcefire Software for X-Series, and Series 2 devices other than 3D9900 do
not support this option. In addition, you cannot enable Tap Mode and Strict TCP Enforcement on the
same inline set.
not support this option. In addition, you cannot enable Tap Mode and Strict TCP Enforcement on the
same inline set.
Step 7
Optionally, select
Propagate Link State
on Series 2 or Series 3 devices. This option is especially useful if
the routers on your network are able to reroute traffic around a network device that is down.
You cannot disable link state propagation for inline sets configured on clustered devices.
Note that virtual devices and Sourcefire Software for X-Series do not support this option.
Step 8
Optionally, select
Strict TCP Enforcement
to enable strict TCP enforcement on Series 3 devices.
Note that Series 2, virtual devices, and Sourcefire Software for X-Series do not support this option. In
addition, you cannot enable Strict TCP Enforcement and Tap Mode on the same inline set.
addition, you cannot enable Strict TCP Enforcement and Tap Mode on the same inline set.
Step 9
Optionally, select
Transparent Inline Mode
.
Note that you cannot disable this option on Series 3 or 3D9900 devices.
Step 10
Click
OK
.
Your changes are saved. Note that your changes do not take effect until you apply the device
configuration; see
configuration; see
for more information.
Removing Bypass Mode on Fiber Inline Sets Configured to Fail Open
License:
Protection
Supported Devices:
Series 2 except 3D9900
When link state propagation is enabled on a Series 2 device with a fiber inline set configured to fail open
and the device goes into bypass mode, all network traffic passes through the inline set without being
analyzed. When the links restore, most fiber inline sets configured to fail open do not return from bypass
automatically. You can use a command line tool to force the inline set out of bypass mode.
and the device goes into bypass mode, all network traffic passes through the inline set without being
analyzed. When the links restore, most fiber inline sets configured to fail open do not return from bypass
automatically. You can use a command line tool to force the inline set out of bypass mode.
This tool works on inline sets with fiber inline interfaces configured to fail open. It is not necessary to
use this tool on inline sets with copper inline interfaces set to fail open.
use this tool on inline sets with copper inline interfaces set to fail open.
Note
Contact Support if you are having issues with inline sets configured to fail open on your device.
To force a fiber inline set configured to fail open out of bypass mode on a device:
Access:
Admin/Network Admin