36-12
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 36 Managing IPS Device Interfaces
Configuring Interfaces
Configuring Bypass Mode
You can use inline bypass as a diagnostic tool and a failover protection mechanism. Normally, the sensor
Analysis Engine performs packet analysis. When inline bypass is activated, Analysis Engine is bypassed,
allowing traffic to flow through the inline interfaces and inline VLAN pairs without inspection. Inline
bypass ensures that packets continue to flow through the sensor when the sensor processes are
temporarily stopped for upgrades or when the sensor monitoring processes fail. There are three modes:
on, off, and automatic. By default, bypass mode is set to automatic.
Keep the following factors in mind before deciding which bypass mode to use:
There are security consequences when you put the sensor in bypass mode. When bypass mode is on,
the traffic bypasses the sensor and is not inspected; therefore, the sensor cannot prevent malicious
attacks.
The inline bypass functionality is implemented in software, so it functions only when the operating
system is running. If the sensor is powered off or shut down, inline bypass does not work—traffic
does not flow through the sensor.
When the sensor applies a signature or global correlation update, it might trigger bypass. Whether
bypass is triggered depends on the traffic load of the sensor and the size of the signature or global
correlation update. If bypass mode is turned off, an inline sensor stops passing traffic while the
update is being applied.
To change the bypass mode setting, follow these steps:
Step 1 (Device view) Select the Interfaces policy from the Policy selector.
Step 2 In the Bypass Mode field at the bottom of the policy, select the desired option:
Off (Always inspect inline traffic)—Disables bypass mode.
Traffic flows through the sensor for inspection. If the monitoring process of the sensor is down,
traffic stops flowing. This means that inline traffic is always inspected.
On (Never inspect inline traffic)—Traffic bypasses the Analysis Engine and is not inspected. This
means that inline traffic is never inspected.
Auto (Bypass inspection when analysis engine is stopped)—Traffic flows through the sensor for
inspection unless the monitoring process of the sensor is down. This is the default.
Specify Interface for TCP
Reset
interface-name
Whether to send TCP resets on an alternate interface when this
interface is used for promiscuous monitoring and the reset action is
triggered by a signature firing.
If you select this option, select the alternate TCP reset interface from
the interface-name list.
For more information about alternate TCP reset, see Understanding
Interfaces, page 36-1.
Table36-3 Modify Physical Interface Map Dialog Box (Continued)
Element Description