Inline Sets and Passive Interfaces for Firepower Threat Defense

You can configure IPS-only passive interfaces, passive ERSPAN interfaces, and inline sets. IPS-only mode interfaces bypass many firewall checks and only support IPS security policy. You might want to implement IPS-only interfaces if you have a separate firewall protecting these interfaces and do not want the overhead of firewall functions.

Guidelines for Inline Sets and Passive Interfaces

Firewall Mode

ERSPAN interfaces are only allowed when the device is in routed firewall mode.

General Guidelines

Inline sets and passive interfaces support physical interfaces only, and cannot use EtherChannels, redundant interfaces, VLANs, and so on.
Inline sets and passive interfaces are supported in intra-chassis and inter-chassis clustering.
Bidirectional Forwarding Detection (BFD) echo packets are not allowed through the FTD when using inline sets. If there are two neighbors on either side of the FTD running BFD, then the FTD will drop BFD echo packets because they have the same source and destination IP address and appear to be part of a LAND attack.
For all models except for the Firepower 4100/9300, the FTD supports no more than two 802.1Q headers in a packet (also known as Q-in-Q support) for inline sets and passive interfaces. Firewall interfaces do not support Q-in-Q, and the Firepower 4100/9300 models do not support Q-in-Q for any type of interface.

Unsupported Firewall Features on IPS Interfaces

DHCP server
DHCP relay
DHCP client
TCP Intercept
Routing
NAT
VPN
Application inspection
QoS
NetFlow
VXLAN

Configure a Passive Interface


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	N/A	FTD	Any	Admin Access Admin Network Admin

This section describes how to:

Enable the interface. By default, interfaces are disabled.
Set the interface mode to Passive or ERSPAN. For ERSPAN interfaces, you will set the ERSPAN parameters and the IP address.
Change the MTU. By default, the MTU is set to 1500 bytes. For more information about the MTU, see About the MTU.
Set a specific speed and duplex (if available). By default, speed and duplex are set to Auto.

Note

For the Firepower Threat Defense on the FXOS chassis, you configure basic interface settings on the Firepower 4100/9300 chassis. See Configure a Physical Interface for more information.

Procedure

Step 1	Select Devices > Device Management and click the edit icon () for your FTD device. The Interfaces tab is selected by default.
Step 2	Click the edit icon () for the interface you want to edit.
Step 3	In the Mode drop-down list, choose Passive or Erspan.
Step 4	Enable the interface by checking the Enabled check box.
Step 5	In the Name field, enter a name up to 48 characters in length.
Step 6	From the Security Zone drop-down list, choose a security zone or add a new one by clicking New.
Step 7	(Optional) Add a description in the Description field. The description can be up to 200 characters on a single line, without carriage returns.
Step 8	(Optional) On General, set the MTU between 64 and 9198 bytes; for the Firepower Threat Defense Virtual and Firepower Threat Defense on the FXOS chassis, the maximum is 9000 bytes. The default is 1500 bytes.
Step 9	For ERSPAN interfaces, set the following parameters: Flow Id—Configure the ID used by the source and destination sessions to identify the ERSPAN traffic, between 1 and 1023. This ID must also be entered in the ERSPAN destination session configuration. Source IP—Configure the IP address used as the source of the ERSPAN traffic.
Step 10	For ERSPAN interfaces, set the IPv4 address and mask on IPv4.
Step 11	(Optional) Set the duplex and speed by clicking Hardware Configuration. The exact speed and duplex options depend on your hardware. Duplex—Choose Full, Half, or Auto. Auto is the default. Speed—Choose 10, 100, 1000, or Auto. Auto is the default.
Step 12	Click OK.
Step 13	Click Save. You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

Configure an Inline Set


Smart License	Classic License	Supported Devices	Supported Domains	Access
Any	N/A	FTD	Any	Admin Access Admin Network Admin

This section enables and names two physical interfaces that you can add to an inline set.

Note

For the Firepower Threat Defense on the FXOS chassis, you configure basic interface settings on the Firepower 4100/9300 chassis. See Configure a Physical Interface for more information.

Before you begin

We recommend that you set STP PortFast for STP-enabled switches that connect to Firepower Threat Defense inline pair interfaces.

Procedure

Step 1

Select Devices > Device Management and click the edit icon () for your FTD device. The Interfaces tab is selected by default.

Step 2

Click the edit icon () for the interface you want to edit.

Step 3

In the Mode drop-down list, choose None.

After you add this interface to an inline set, this field will show Inline for the mode.

Step 4

Enable the interface by checking the Enabled check box.

Step 5

In the Name field, enter a name up to 48 characters in length.

Do not set the security zone yet; you must set it after you create the inline set later in this procedure.

Step 6

(Optional) Add a description in the Description field.

The description can be up to 200 characters on a single line, without carriage returns.

Step 7

(Optional) Set the duplex and speed by clicking Hardware Configuration.

The exact speed and duplex options depend on your hardware.

Duplex—Choose Full, Half, or Auto. Auto is the default.
Speed—Choose 10, 100, 1000, or Auto. Auto is the default.

Step 8

Click OK.

Do not set any other settings for this interface.

Step 9

Click edit () for the second interface you want to add to the inline set.

Step 10

Configure the settings as for the first interface.

Step 11

Click Inline Sets.

Step 12

Click Add Inline Set.

The Add Inline Set dialog box appears with General selected.

Step 13

In the Name field, enter a name for the set.

Step 14

(Optional) Change the MTU to enable jumbo frames.

For inline sets, the MTU setting is not used. However, the jumbo frame setting is relevant to inline sets; jumbo frames enable the inline interfaces to receive packets up to 9000 bytes. To enable jumbo frames, you must set the MTU of any interface on the device above 1500 bytes.

Step 15

(Optional) To specify that traffic is allowed to bypass detection and continue through the device in the case of a sensor failure, check the Failsafe check box.

Managed devices monitor internal traffic buffers and bypass detection if those buffers are full.

Step 16

In the Available Interfaces Pairs area, click a pair and then click Add to move it to the Selected Interface Pair area.

All possible pairings between named and enabled interfaces with the mode set to None show in this area.

Step 17

(Optional) Click Advanced to set the following optional parameters:

Tap Mode—Set to inline tap mode.

Note that you cannot enable this option and strict TCP enforcement on the same inline set.

Propagate Link State—Configure link state propagation.

Link state propagation automatically brings down the second interface in the inline interface pair when one of the interfaces in an inline set goes down. When the downed interface comes back up, the second interface automatically comes back up, also. In other words, if the link state of one interface changes, the device senses the change and updates the link state of the other interface to match it. Note that devices require up to 4 seconds to propagate link state changes. Link state propagation is especially useful in resilient network environments where routers are configured to reroute traffic automatically around network devices that are in a failure state.

Note

This feature is not supported on the Firepower 4100/9300 chassis.

Strict TCP Enforcement—To maximize TCP security, you can enable strict enforcement, which blocks connections where the three-way handshake was not completed.

Strict enforcement also blocks:
- Non-SYN TCP packets for connections where the three-way handshake was not completed
- Non-SYN/RST packets from the initiator on a TCP connection before the responder sends the SYN-ACK
- Non-SYN-ACK/RST packets from the responder on a TCP connection after the SYN but before the session is established
- SYN packets on an established TCP connection from either the initiator or the responder

Step 18

Click Interfaces.

Step 19

Click edit () for one of the member interfaces.

Step 20

From the Security Zone drop-down list, choose a security zone or add a new one by clicking New.

You can only set the zone after you add the interface to the inline set; adding it to an inline set configures the mode to Inline and lets you choose inline-type security zones.

Step 21

Click OK.

Step 22

Set the security zone for the second interface.

Step 23

Click Save.

You can now click Deploy and deploy the policy to assigned devices. The changes are not active until you deploy them.

Firepower Management Center Configuration Guide, Version 6.0.1

Bias-Free Language

Book Title

Firepower Management Center Configuration Guide, Version 6.0.1

Chapter Title