IPS Device Deployments and Configuration

The following topics describe how to configure your device in an IPS deployment:

Introduction to IPS Device Deployment and Configuration

You can configure your device in either a passive or inline IPS deployment. In a passive deployment, you deploy the system out of band from the flow of network traffic. In an inline deployment, you configure the system transparently on a network segment by binding two ports together.

License Requirements for IPS Device Deployment

FTD License

Threat

Classic License

Protection

Requirements and Prerequisites for IPS Device Deployment

Model Support

Any.

Supported Domains

Leaf.

User Roles

  • Admin

  • Network Admin

Passive IPS Deployments

In a passive IPS deployment, the Firepower System monitors traffic flowing across a network using a switch SPAN (or mirror) port. The SPAN port allows for traffic to be copied from other ports on the switch. This provides the system visibility within the network without being in the flow of network traffic. When configured in a passive deployment, the system cannot take certain actions such as blocking or shaping traffic. Passive interfaces receive all traffic unconditionally, and no traffic received on these interfaces is retransmitted. Passive interfaces support both local SPAN and remote SPAN (RSPAN) traffic.


Note


Outbound traffic includes flow control packets. Because of this, passive interfaces on your appliances may show outbound traffic and, depending on your configuration, generate events; this is expected behavior.


Passive Interfaces on the Firepower System

You can configure one or more physical ports on a managed device as passive interfaces.

When you enable a passive interface to monitor traffic, you designate mode and MDI/MDIX settings, which are available only for copper interfaces.

When you disable a passive interface, users can no longer access it for security purposes.

The range of MTU values can vary depending on the model of the managed device and the interface type.


Caution


Changing the highest MTU value among all non-management interfaces on the device restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Inspection is interrupted on all non-management interfaces, not just the interface you modified. Whether this interruption drops traffic or passes it without further inspection depends on the model of the managed device and the interface type. See Snort® Restart Traffic Behavior for more information.


Configuring Passive Interfaces

Procedure


Step 1

Choose Devices > Device Management.

Step 2

Click Edit (edit icon) next to the device where you want to configure the passive interface.

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

Click Edit (edit icon) next to the interface you want to configure as a passive interface.

Step 4

Click Passive.

Step 5

If you want to associate the passive interface with a security zone, do one of the following:

Step 6

Check the Enabled check box.

If you clear the check box, the interface becomes disabled so that users cannot access it for security purposes.

Step 7

Enter a maximum transmission unit (MTU) in the MTU field.

The range of MTU values can vary depending on the model of the managed device and the interface type.

Caution

 

Changing the highest MTU value among all non-management interfaces on the device restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Inspection is interrupted on all non-management interfaces, not just the interface you modified. Whether this interruption drops traffic or passes it without further inspection depends on the model of the managed device and the interface type. See Snort® Restart Traffic Behavior for more information.

Step 8

Click Save.


What to do next

Inline IPS Deployments

In an inline IPS deployment, you configure the Firepower System transparently on a network segment by binding two ports together. This allows the system to be installed in any network environment without the configuration of adjacent network devices. Inline interfaces receive all traffic unconditionally, but all traffic received on these interfaces is retransmitted out of an inline set unless explicitly dropped.


Note


For the system to affect traffic, you must deploy relevant configurations to managed devices using routed, switched, or transparent interfaces, or inline interface pairs.


You can configure the interfaces on your managed device to route traffic between a host on your network and external hosts through different inline interface pairs, depending on whether the device traffic is inbound or outbound. This is an asynchronous routing configuration. If you deploy asynchronous routing but you include only one interface pair in an inline set, the device might not correctly analyze your network traffic because it might see only half of the traffic.

Adding multiple inline interface pairs to the same inline interface set allows the system to identify the inbound and outbound traffic as part of the same traffic flow. For passive interfaces only, you can also achieve this by including the interface pairs in the same security zone.

When the system generates a connection event from traffic passing through an asynchronous routing configuration, the event may identify an ingress and egress interface from the same inline interface pair. The configuration in the following diagram, for example, would generate a connection event identifying eth3 as the ingress interface and eth2 as the egress interface. This is expected behavior in this configuration.

Diagram illustrating multiple interface pairs with asynchronous routing


Note


If you assign multiple interface pairs to a single inline interface set but you experience issues with duplicate traffic, reconfigure to help the system uniquely identify packets. For example, you could reassign your interface pairs to separate inline sets or modify your security zones.


For devices with inline sets, a software bridge is automatically set up to transport packets after the device restarts. If the device is restarting, there is no software bridge running anywhere. If you enable bypass mode on the inline set, it goes into hardware bypass while the device is restarting. In that case, you may lose a few seconds of packets as the system goes down and comes back up, due to renegotiation of link with the device. However, the system will pass traffic while Snort is restarting.

Inline Interfaces on the Firepower System

You can configure one or more physical ports on a managed device as inline interfaces. You must assign a pair of inline interfaces to an inline set before they can handle traffic in an inline deployment.

Note:

  • The system warns you if you set the interfaces in an inline pair to different speeds or if the interfaces negotiate to different speeds.

  • If you configure an interface as an inline interface, the adjacent port on its NetMod automatically becomes an inline interface as well to complete the pair.

  • To configure inline interfaces on an NGIPSv device, you must create the inline pair using adjacent interfaces.

Configuring Inline Interfaces

Procedure


Step 1

Choose Devices > Device Management.

Step 2

Click Edit (edit icon) next to the device where you want to configure the interface.

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

Click Edit (edit icon) next to the interface you want to configure.

Step 4

Click Inline.

Step 5

If you want to associate the inline interface with a security zone, do one of the following:

Step 6

Choose an existing inline set from the Inline Set drop-down list, or choose New to add a new inline set.

Note

 

If you add a new inline set, you must configure it after you set up the inline interface; see Adding Inline Sets.

Step 7

Check the Enabled check box.

If you clear the check box, the interface becomes disabled so that users cannot access it for security purposes.

Step 8

Click Save.


What to do next

Inline Sets

Before you can use inline interfaces in an inline deployment, you must configure inline sets and assign inline interface pairs to them. An inline set is a grouping of one or more inline interface pairs on a device; an inline interface pair can belong to only one inline set at a time.

The Inline Sets tab of the Device Management page displays a list of all inline sets you have configured on a device.

You can add inline sets from the Inline Sets tab of the Device Management page or you can add inline sets as you configure inline interfaces.

You can assign only inline interface pairs to an inline set. If you want to create an inline set before you configure the inline interfaces on your managed devices, you can create an empty inline set and add interfaces to it later. You can use alphanumeric characters and spaces when you type a name for an inline set.


Note


Create inline sets before you add security zones for the interfaces in the inline set; otherwise security zones are removed and you must add them again.


Name

The name of the inline set.

Interfaces

A list of all inline interface pairs assigned to the inline set. A pair is not available when you disable either interface in the pair from the Interfaces tab.

MTU

The maximum transmission unit for the inline set. The range of MTU values can vary depending on the model of the managed device and the interface type.


Caution


Changing the highest MTU value among all non-management interfaces on the device restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Inspection is interrupted on all non-management interfaces, not just the interface you modified. Whether this interruption drops traffic or passes it without further inspection depends on the model of the managed device and the interface type. See Snort® Restart Traffic Behavior for more information.


Failsafe

Behavior of the interface on a NGIPSv device when the Snort process is busy or down.

  • Enabled—New and existing flows pass without inspection when the Snort process is busy or down.

  • Disabled—New and existing flows drop when the Snort process is busy and pass without inspection when the Snort process is down.

The Snort process can be busy when traffic buffers are full, indicating that there is more traffic than the managed device can handle, or because of other software issues.

The Snort process goes down when you deploy a configuration that requires it to restart. See Configurations that Restart the Snort Process When Deployed or Activated for more information.


Note


When traffic passes without inspection, features that rely on the Snort process do not function. These include application control and deep inspection. The system performs only basic access control using simple, easily determined transport and network layer characteristics.


Viewing Inline Sets

Procedure


Step 1

Choose Devices > Device Management.

Step 2

Click Edit (edit icon) next to the device where you want to view the inline sets.

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

Click Inline Sets.


Adding Inline Sets

Procedure


Step 1

Choose Devices > Device Management.

Step 2

Click Edit (edit icon) next to the device where you want to add the inline set.

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

Click Inline Sets.

Step 4

Click Add Inline Set.

Step 5

Enter a Name.

Step 6

Next to Interfaces, choose one or more inline interface pairs, then click Add Selected. To add all interface pairs to the inline set, click Add All.

Tip

 
To remove inline interfaces from the inline set, choose one or more inline interface pairs and click Remove Selected. To remove all interface pairs from the inline set, click Remove All. Disabling either interface in a pair from Interfaces also removes the pair.

Step 7

Enter a maximum transmission unit (MTU) in the MTU field.

The range of MTU values can vary depending on the model of the managed device and the interface type.

Caution

 

Changing the highest MTU value among all non-management interfaces on the device restarts the Snort process when you deploy configuration changes, temporarily interrupting traffic inspection. Inspection is interrupted on all non-management interfaces, not just the interface you modified. Whether this interruption drops traffic or passes it without further inspection depends on the model of the managed device and the interface type. See Snort® Restart Traffic Behavior for more information.

Step 8

If you want to specify that traffic is allowed to bypass detection and continue through the device when the Snort process is busy or down, choose Failsafe. See Inline Sets for more information.

Enabling Failsafe on a device with inline sets greatly decreases the risk of dropped packets if the internal traffic buffers are full, but your device may still drop packets in certain conditions. In the worst case, the device may experience a temporary network outage.

Step 9

Optionally, configure advanced settings; see Advanced Inline Set Options.

Step 10

Click OK.


What to do next

Deploy configuration changes; see Deploy Configuration Changes.

Advanced Inline Set Options

There are a number of advanced options you may consider as you configure inline sets.

Transparent Inline Mode

Transparent Inline Mode option allows the device to act as a “bump in the wire” and means that the device forwards all the network traffic it sees, regardless of its source and destination.

Configuring Advanced Inline Set Options

Procedure


Step 1

Choose Devices > Device Management.

Step 2

Click Edit (edit icon) next to the device where you want to edit the inline set.

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

Click Inline Sets.

Step 4

Click Edit (edit icon) next to the inline set you want to edit.

Step 5

Click Advanced.

Step 6

Configure options as described in Advanced Inline Set Options.

Note

 

Link state propagation and strict TCP enforcement are not supported on virtual devices.

Step 7

Click OK.


What to do next

Deleting Inline Sets

When you delete an inline set, any inline interfaces assigned to the set become available for inclusion in another set. The interfaces are not deleted.

Procedure


Step 1

Choose Devices > Device Management.

Step 2

Next to the device where you want to delete the inline set, click Edit (edit icon).

In a multidomain deployment, if you are not in a leaf domain, the system prompts you to switch.

Step 3

Click Inline Sets.

Step 4

Next to the inline set you want to delete, click Delete (delete icon).

Step 5

When prompted, confirm that you want to delete the inline set.


What to do next