Introduction
When I was studying for the CCIE, one of the topics I found difficult to find enough information about was NGIPS. There were tons of details on FTD but very little on NGIPS.
This blog post briefly introduces how NGIPS works and its deployment options. We will not cover the installation, though, as it’s mostly identical to a virtual FTD device.
NGIPS
The NGIPS is inherited from Sourcefire and has other interface modes compared to ASA with Sourcefire module or FTD. The CCIE lab uses a virtual edition of NGIPS, which by default operates in Transparent mode. You typically have two deployment options
- Inline (Using Inline Sets)
- Passive (Using SPAN or ERSPAN)
Inline Sets
Supported in Both Routed and Transparent mode.
Inline Sets & Passive Interfaces supports Physical and Port-Channels only.
Inline interfaces receive all traffic unconditionally, but all traffic received on these interfaces is retransmitted out of an inline set unless explicitly dropped. An Inline set is similar to Bridge Group in a Transparent FTD. You pick two interfaces that should be bridged together (E.g., Inside > Outside). Traffic between these two interfaces becomes Layer 2 adjacent through the appliance meaning It acts like a bump in the wire.
TAP Mode
Works with a copy of the packet and is therefore unable to block traffic. Events generated will say, “Would have dropped.” NGIPS could be implemented in Inline TAP mode to act as Monitor Mode, and when you’re confident that it’s working correctly, you could disable TAP mode again.
To enable TAP mode go to the Advanced section of your Inline Set and enable TAP Mode.
Inline Set Config
Go to the Interfaces and Enable the interfaces that you want to use. Do NOT configure a Security Zone yet.
Go to the Inline Sets section and click Add Inline Set. Assign it a name and add your Interface Combination
Go to the Advanced section. This is where you optionally enable TAP Mode for a Monitor Mode deployment.
The other options has the following features
Propagate Link State
Automatically brings down the second interface in the inline pair when one of the interfaces in an inline set goes down. It also automatically brings it back up upon detecting the other link coming back up.
Strict TCP Enforcement
Blocks connections where a TCP-3WAY Handshake was not completed.
Go back to your interfaces and assign a Security Zone to them.
Deploy, and you are done. Traffic should now be able to pass through your Inline Set. If you enable logging in the ACP, you should see Multicast and Unicast traffic between segments
Passive
Relies on SPAN or ERSPAN (Mirror) traffic received on the interface. It is, therefore, unable to block or take action on the traffic.
ERSPAN
Upstream or Downstream Routers not directly connected to the NGIPS can deliver SPAN traffic to the NGIPS by sending ERSPAN; this will essentially establish a GRE Tunnel “Back End” to the appliance and provide the mirrored traffic across that. (This is why a specific interface of type ERSPAN must be used).
Because it relies on GRE, ERSPAN mode is supported only in Routed Mode.
Passive Configuration
You are not likely to encounter ERSPAN requirements for the Lab exam, so the example below is for a Passive Deployment using a regular SPAN port.
Go to Interfaces and Enable an interface and define a Security Zone (Not required)
On the switch where the NGIPS is connected, create a Span Port and forward traffic to the NGIPS.
Copy traffic from Interface Eth0/0 (Could also be traffic from an entire VLAN)
monitor session 1 source interface Et0/0Send the mirror traffic out Interface Eth0/1 where NGIPS is connected
monitor session 1 destination interface Et0/1
The post Introduction to NGIPS appeared first on NBORC.