Example: IPS Capture Interface configuration with SPAN

An example of using SPAN ports on switches to duplicate packets for inspection.

The administrator at company A wants to set up a Single IPS engine and deploy it in IDS configuration using SPAN ports on the switches to duplicate packets for inspection. The following illustration shows the interfaces of the IPS engine in IDS configuration.

Figure: Capture Interfaces with SPAN



In this example, Interface ID 0 is a Normal Interface used for management connections, and sending TCP Reset responses for network segment A. Interface ID 1 is a Capture Interface for capturing network traffic from the network segment A switch for inspection. Interface ID 2 is a Capture Interface for capturing network traffic from the network segment B switch for inspection. Interface ID 3 is a Normal Interface used for sending TCP Reset responses for network segment B.

The administrator does the following:

  1. Creates a Single IPS element and selects the Log Server to which it sends log data and the traffic recordings.
  2. Defines Interface ID 0 as a Normal Interface and adds an IP address to it.
    • The IP address on Interface ID 0 is automatically selected as the Primary Control IP address because Interface ID 0 is the first Normal Interface with an IP address.
  3. Defines Interface ID 3 as a Normal Interface without an IP address.
    • Because Interface ID 3 is used only as a Reset Interface, it must not have an IP address.
  4. Defines Interface ID 1 as a Capture Interface and selects Interface ID 0 as the Reset Interface.
  5. Defines Interface ID 2 as a Capture Interface and selects Interface ID 3 as the Reset Interface.
  6. Saves the initial configuration of the engine in the Management Client.
  7. Maps the interface IDs to the physical interfaces in the NGFW Initial Configuration Wizard and makes initial contact with the Management Server.
  8. Installs an IPS Policy in the Management Client to transfer the configuration to the engine.