Sourcefire IPS (Firepower deplying mode)

hi,

dear valued supporters, i would like to ask one question regarding the top IPS vendor Sourcefire... the question is that if we are deploying the firepower in promiscuous mode so can we take any actions on the traffic or what actions can we take on this kind of traffic.

please reply asap as we need to support to one customer.
syedaassiiiff27Asked:
Who is Participating?

Improve company productivity with a Business Account.Sign Up

x
 
btanConnect With a Mentor Exec ConsultantCommented:
I see mainly two mode e.g.
a) Passive - where the 3D Sensor is configured to only monitor traffic and not block. In a VM environment e.g. a port on the virtual switch is configured in promiscuous mode so that all traffic between VMs and to the physical NIC is mirrored on the promiscuous port to the sensor. It is best to use separate virtual switches and physical NICs for a sensor’s monitoring and management interfaces.

b) Passive in a Cluster -  Mostly in HA and load balancing situation. In virtual environment, Users can passively deploy the Virtual 3D Sensor in two possible
configurations: deploy one sensor per ESX host, or one sensor to monitor all the hosts in the cluster. Understand there is another configuration that requires the Cisco Nexus
1000V switch and a Nexus feature called Encapsulated Remote SPAN, or ERSPAN. ERSPAN is very similar to Cisco’s RSPAN feature, where SPAN traffic from a switch can be directed to the destination port on another switch.

Hence, if all of the hosts are using Cisco Nexus 1000V switches, most of the Nexus
switches can be configured to send their SPAN traffic to a single Virtual 3D Sensor. The sensor’s local switch can use traditional SPAN to send traffic to the sensor.

c) Inline - This block traffic. The sensor bridges the traffic between the switches and blocks any traffi c matching specific IPS “drop” rules.

e.g. from the community forum which you can find more info or post
https://community.sourcefire.com/questions/setting-a-policy-or-configuration-value-to-allow-all-ips-traffic-to-pass-through
https://community.sourcefire.com/questions/configuring-virtual-sensor-inline
https://community.sourcefire.com/questions/inspecting-virtual-traffic-from-multiple-vlans

I’d suggest you contact your SE and he/she can help you out there.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.