Have an account?

  •   Personalized content
  •   Your products and support

Need an account?

Create an account

Firepower Management Center Configuration Guide, Version 6.0.1

Book Contents
Find Matches in This Book
Available Languages
Download Options

Book Title

Firepower Management Center Configuration Guide, Version 6.0.1

Chapter Title

Inline Sets and Passive Interfaces for Firepower Threat Defense

Results

Updated:
April 28, 2019

Chapter: Inline Sets and Passive Interfaces for Firepower Threat Defense

Inline Sets and Passive Interfaces for Firepower Threat Defense

You can configure IPS-only passive interfaces, passive ERSPAN interfaces, and inline sets. IPS-only mode interfaces bypass many firewall checks and only support IPS security policy. You might want to implement IPS-only interfaces if you have a separate firewall protecting these interfaces and do not want the overhead of firewall functions.

Guidelines for Inline Sets and Passive Interfaces

Firewall Mode

  • ERSPAN interfaces are only allowed when the device is in routed firewall mode.

General Guidelines

  • Inline sets and passive interfaces support physical interfaces only, and cannot use EtherChannels, redundant interfaces, VLANs, and so on.

  • Inline sets and passive interfaces are supported in intra-chassis and inter-chassis clustering.

  • Bidirectional Forwarding Detection (BFD) echo packets are not allowed through the FTD when using inline sets. If there are two neighbors on either side of the FTD running BFD, then the FTD will drop BFD echo packets because they have the same source and destination IP address and appear to be part of a LAND attack.

Unsupported Firewall Features on IPS Interfaces

  • DHCP server

  • DHCP relay

  • DHCP client

  • TCP Intercept

  • Routing

  • NAT

  • VPN

  • Application inspection

  • QoS

  • NetFlow

  • VXLAN

Configure a Passive Interface

Smart License Classic License Supported Devices Supported Domains Access

Any

N/A

FTD

Any

Admin
Access Admin
Network Admin

This section describes how to:

  • Enable the interface. By default, interfaces are disabled.

  • Set the interface mode to Passive or ERSPAN. For ERSPAN interfaces, you will set the ERSPAN parameters and the IP address.

  • Change the MTU. By default, the MTU is set to 1500 bytes. For more information about the MTU, see About the MTU.

  • Set a specific speed and duplex (if available). By default, speed and duplex are set to Auto.


Note

For the Firepower Threat Defense on the FXOS chassis, you configure basic interface settings on the Firepower 4100/9300 chassis. See Configure a Physical Interface for more information.

Procedure

Step 1

Select Devices > Device Management and click the edit icon () for your FTD device. The Interfaces tab is selected by default.

Step 2

Click the edit icon () for the interface you want to edit.

Step 3

In the Mode drop-down list, choose Passive or Erspan.

Step 4

Enable the interface by checking the Enabled check box.

Step 5

In the Name field, enter a name up to 48 characters in length.

Step 6

From the Security Zone drop-down list, choose a security zone or add a new one by clicking New.

Step 7

(Optional) Add a description in the Description field.

The description can be up to 200 characters on a single line, without carriage returns.

Step 8

(Optional) On the General tab, set the MTU between 64 and 9198 bytes; for the Firepower Threat Defense Virtual and Firepower Threat Defense on the FXOS chassis, the maximum is 9000 bytes.

The default is 1500 bytes.

Step 9

For ERSPAN interfaces, set the following parameters:

  • Flow Id—Configure the ID used by the source and destination sessions to identify the ERSPAN traffic, between 1 and 1023. This ID must also be entered in the ERSPAN destination session configuration.

  • Source IP—Configure the IP address used as the source of the ERSPAN traffic.

Step 10

For ERSPAN interfaces, set the IPv4 address and mask on the IPv4 tab.

Step 11

(Optional) Set the duplex and speed by clicking the Hardware Configuration tab.

The exact speed and duplex options depend on your hardware.

  • Duplex—Choose Full, Half, or Auto. Auto is the default.

  • Speed—Choose 10, 100, 1000, or Auto. Auto is the default.

Step 12

Click OK.

Step 13

Click Save.

You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

Configure an Inline Set

Smart License Classic License Supported Devices Supported Domains Access

Any

N/A

FTD

Any

Admin
Access Admin
Network Admin

This section enables and names two physical interfaces that you can add to an inline set.


Note

For the Firepower Threat Defense on the FXOS chassis, you configure basic interface settings on the Firepower 4100/9300 chassis. See Configure a Physical Interface for more information.

Before you begin

  • We recommend that you set STP PortFast for STP-enabled switches that connect to Firepower Threat Defense inline pair interfaces.

Procedure

Step 1

Select Devices > Device Management and click the edit icon () for your FTD device. The Interfaces tab is selected by default.

Step 2

Click the edit icon () for the interface you want to edit.

Step 3

In the Mode drop-down list, choose None.

After you add this interface to an inline set, this field will show Inline for the mode.

Step 4

Enable the interface by checking the Enabled check box.

Step 5

In the Name field, enter a name up to 48 characters in length.

Do not set the security zone yet; you must set it after you create the inline set later in this procedure.
Step 6

(Optional) Add a description in the Description field.

The description can be up to 200 characters on a single line, without carriage returns.

Step 7

(Optional) Set the duplex and speed by clicking the Hardware Configuration tab.

The exact speed and duplex options depend on your hardware.

  • Duplex—Choose Full, Half, or Auto. Auto is the default.

  • Speed—Choose 10, 100, 1000, or Auto. Auto is the default.

Step 8

Click OK.

Do not set any other settings for this interface.

Step 9

Click the edit icon () for the second interface you want to add to the inline set.

Step 10

Configure the settings as for the first interface.

Step 11

Click the Inline Sets tab.

Step 12

Click Add Inline Set.

The Add Inline Set dialog box appears with the General tab selected.
Step 13

In the Name field, enter a name for the set.

Step 14

(Optional) Change the MTU to enable jumbo frames.

For inline sets, the MTU setting is not used. However, the jumbo frame setting is relevant to inline sets; jumbo frames enable the inline interfaces to receive packets up to 9000 bytes. To enable jumbo frames, you must set the MTU of any interface on the device above 1500 bytes.

Step 15

(Optional) To specify that traffic is allowed to bypass detection and continue through the device in the case of a sensor failure, check the Failsafe check box.

Managed devices monitor internal traffic buffers and bypass detection if those buffers are full.

Step 16

In the Available Interfaces Pairs area, click a pair and then click Add to move it to the Selected Interface Pair area.

All possible pairings between named and enabled interfaces with the mode set to None show in this area.

Step 17

(Optional) Click the Advanced tab to set the following optional parameters:

  • Tap Mode—Set to inline tap mode.

    Note that you cannot enable this option and strict TCP enforcement on the same inline set.

  • Propagate Link State—Configure link state propagation.

    Link state propagation automatically brings down the second interface in the inline interface pair when one of the interfaces in an inline set goes down. When the downed interface comes back up, the second interface automatically comes back up, also. In other words, if the link state of one interface changes, the device senses the change and updates the link state of the other interface to match it. Note that devices require up to 4 seconds to propagate link state changes. Link state propagation is especially useful in resilient network environments where routers are configured to reroute traffic automatically around network devices that are in a failure state.

    Note 

    This feature is not supported on the Firepower 4100/9300 chassis.

  • Strict TCP Enforcement—To maximize TCP security, you can enable strict enforcement, which blocks connections where the three-way handshake was not completed.

    Strict enforcement also blocks:

    • Non-SYN TCP packets for connections where the three-way handshake was not completed

    • Non-SYN/RST packets from the initiator on a TCP connection before the responder sends the SYN-ACK

    • Non-SYN-ACK/RST packets from the responder on a TCP connection after the SYN but before the session is established

    • SYN packets on an established TCP connection from either the initiator or the responder

Step 18

Click the Interfaces tab.

Step 19

Click the edit icon () for one of the member interfaces.

Step 20

From the Security Zone drop-down list, choose a security zone or add a new one by clicking New.

You can only set the zone after you add the interface to the inline set; adding it to an inline set configures the mode to Inline and lets you choose inline-type security zones.

Step 21

Click OK.

Step 22

Set the security zone for the second interface.

Step 23

Click Save.

You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

Was this Document Helpful?

FeedbackFeedback

Contact Cisco

Related Cisco Community Discussions

About Us
Contact Us
Work with Us