Cisco Cisco FirePOWER Appliance 8250
7-7
FireSIGHT System User Guide
Chapter 7 Setting Up an IPS Device
Configuring Inline Sets
Step 8
Optionally, select
Failsafe
to specify that traffic is allowed to bypass detection and continue through the
device. Managed devices monitor internal traffic buffers and bypass detection if those buffers are full.
Note that only Series 3 and 3D9900 devices support this option.
Step 9
Select the bypass mode to configure how the relays in the inline interfaces respond when an interface
fails:
fails:
•
Select
Bypass
to allow traffic to continue to pass through the interfaces.
•
Select
Non-Bypass
to block traffic.
Note
In bypass mode, you may lose a few packets when you reboot the appliance. Also note that you
cannot configure bypass mode for inline sets on a virtual device or Sourcefire Software for
X-Series, for non-bypass NetMods on 8000 Series devices, or for SFP modules on 3D7115 or
3D7125 devices.
cannot configure bypass mode for inline sets on a virtual device or Sourcefire Software for
X-Series, for non-bypass NetMods on 8000 Series devices, or for SFP modules on 3D7115 or
3D7125 devices.
Step 10
Click
OK
.
The inline set is added. Note that your changes do not take effect until you apply the device
configuration; see
configuration; see
for more information.
Tip
To configure advanced settings for the inline set, such as tap mode, link state propagation, and
transparent inline mode, see
transparent inline mode, see
Configuring Advanced Inline Set Options
License:
Protection
Supported Devices:
feature dependent
There are a number of options you may consider as you configure inline sets. See the sections below for
more information about each option.
more information about each option.
Tap Mode
Supported Devices:
Series 3, 3D9900
Tap mode is available on 3D9900 and Series 3 devices when you create an inline or inline with fail-open
interface set.
interface set.
With tap mode, the device is deployed inline, but instead of the packet flow passing through the device,
a copy of each packet is sent to the device and the network traffic flow is undisturbed. Because you are
working with copies of packets rather than the packets themselves, rules that you set to drop and rules
that use the replace keyword do not affect the packet stream. However, rules of these types do generate
intrusion events when they are triggered, and the table view of intrusion events indicates that the
triggering packets would have dropped in an inline deployment.
a copy of each packet is sent to the device and the network traffic flow is undisturbed. Because you are
working with copies of packets rather than the packets themselves, rules that you set to drop and rules
that use the replace keyword do not affect the packet stream. However, rules of these types do generate
intrusion events when they are triggered, and the table view of intrusion events indicates that the
triggering packets would have dropped in an inline deployment.
There are benefits to using tap mode with devices that are deployed inline. For example, you can set up
the cabling between the device and the network as if the device were inline and analyze the kinds of
intrusion events the device generates. Based on the results, you can modify your intrusion policy and add
the drop rules that best protect your network without impacting its efficiency. When you are ready to
deploy the device inline, you can disable tap mode and begin dropping suspicious traffic without having
to reconfigure the cabling between the device and the network.
the cabling between the device and the network as if the device were inline and analyze the kinds of
intrusion events the device generates. Based on the results, you can modify your intrusion policy and add
the drop rules that best protect your network without impacting its efficiency. When you are ready to
deploy the device inline, you can disable tap mode and begin dropping suspicious traffic without having
to reconfigure the cabling between the device and the network.