- Title Page
- Introduction & Preface
- Logging into the FireSIGHT System
- Using Objects and Security Zones
- Managing Devices
- Setting Up an IPS Device
- Setting Up Virtual Switches
- Setting Up Virtual Routers
- Setting Up Aggregate Interfaces
- Setting Up Hybrid Interfaces
- Using Gateway VPNs
- Using NAT Policies
- Getting Started with Access Control Policies
- Blacklisting Using Security Intelligence IP Address Reputation
- Tuning Traffic Flow Using Access Control Rules
- Controlling Traffic with Network-Based Rules
- Controlling Traffic with Reputation-Based Rules
- Controlling Traffic Based on Users
- Controlling Traffic Using Intrusion and File Policies
- Understanding Traffic Decryption
- Getting Started with SSL Policies
- Getting Started with SSL Rules
- Tuning Traffic Decryption Using SSL Rules
- Understanding Intrusion and Network Analysis Policies
- Using Layers in Intrusion and Network Analysis Policies
- Customizing Traffic Preprocessing
- Getting Started with Network Analysis Policies
- Using Application Layer Preprocessors
- Configuring SCADA Preprocessing
- Configuring Transport & Network Layer Preprocessing
- Tuning Preprocessing in Passive Deployments
- Getting Started with Intrusion Policies
- Tuning Intrusion Rules
- Tailoring Intrusion Protection to Your Network Assets
- Detecting Specific Threats
- Limiting Intrusion Event Logging
- Understanding and Writing Intrusion Rules
- Blocking Malware and Prohibited Files
- Logging Connections in Network Traffic
- Working with Connection & Security Intelligence Data
- Analyzing Malware and File Activity
- Working with Intrusion Events
- Handling Incidents
- Configuring External Alerting
- Configuring External Alerting for Intrusion Rules
- Introduction to Network Discovery
- Enhancing Network Discovery
- Configuring Active Scanning
- Using the Network Map
- Using Host Profiles
- Working with Discovery Events
- Configuring Correlation Policies and Rules
- Using the FireSIGHT System as a Compliance Tool
- Creating Traffic Profiles
- Configuring Remediations
- Using Dashboards
- Using the Context Explorer
- Working with Reports
- Understanding and Using Workflows
- Using Custom Tables
- Searching for Events
- Managing Users
- Scheduling Tasks
- Managing System Policies
- Configuring Appliance Settings
- Licensing the FireSIGHT System
- Updating System Software
- Monitoring the System
- Using Health Monitoring
- Auditing the System
- Using Backup and Restore
- Specifying User Preferences
- Importing and Exporting Configurations
- Purging Discovery Data from the Database
- Viewing the Status of Long-Running Tasks
- Command Line Reference
- Security, Internet Access, and Communication Ports
- Third-Party Products
- glossary
Setting Up Hybrid Interfaces
You can configure logical hybrid interfaces on managed devices that allow the FireSIGHT System to bridge traffic between virtual routers and virtual switches. If IP traffic received on interfaces in a virtual switch is addressed to the MAC address of an associated hybrid logical interface, the system handles it as Layer 3 traffic and either routes or responds to the traffic depending on the destination IP address. If the system receives any other traffic, it handles it as Layer 2 traffic and switches it appropriately. You cannot configure logical hybrid interfaces on a virtual managed device or Cisco NGIPS for Blue Coat X-Series.
For more information about setting up hybrid interfaces, see Adding Logical Hybrid Interfaces.
Adding Logical Hybrid Interfaces
You must associate a logical hybrid interface with a virtual router and virtual switch to bridge traffic between Layer 2 and Layer 3. You can only associate a single hybrid interface with a virtual switch. However, you can associate multiple hybrid interfaces with a virtual router.
You can also configure SFRP on a logical hybrid interface. See Configuring SFRP for more information.
Note that disabling the ICMP Enable Responses option for hybrid interfaces does not prevent ICMP responses in all scenarios. You can add rules to an access control policy to drop packets where the destination IP is the hybrid interface’s IP and the protocol is ICMP; see Controlling Traffic with Network-Based Rules.
If you have enabled the Inspect Local Router Traffic option on the managed device, it drops the packets before they reach the host, thereby preventing any response. For more information about inspecting local router traffic, see Understanding Advanced Device Settings.
Caution Changing any (Series 2) or the highest (Series 3) MTU value for a sensing interface or inline set temporarily interrupts traffic inspection on all sensing interfaces on the device, not just the interface you changed, when you apply your changes. Whether traffic drops during this interruption or passes without further inspection depends on the model of the managed device and the interface type. See How Snort Restarts Affect Traffic.
To edit an existing hybrid interface, click the edit icon (
) next to the interface.
To add a logical hybrid interface:
Step 1 Select Devices > Device Management .
The Device Management page appears.
Step 2 Next to the device where you want to add the hybrid interface, click the edit icon (
).
Step 3 From the Add drop-down menu, select Add Logical Interface .
The Add Interface pop-up window appears.
Step 4 Click Hybrid to display the hybrid interface options.
Step 5 In the Name field, type a name for the interface. You can use alphanumeric characters and spaces.
Step 6 From the Virtual Router drop-down list, select an existing virtual router, select None , or select New to add a new virtual router.
Note that if you add a new virtual router, you must configure it on the Device Management page ( Devices > Device Management> Virtual Routers ) after you finish setting up the hybrid interface. See Adding Virtual Routers.
Step 7 From the Virtual Switch drop-down list, select an existing virtual switch, select None , or select New to add a new virtual switch.
Note that if you add a new virtual switch, you must configure it on the Device Management page ( Devices > Device Management> Virtual Switches ) after you finish setting up the hybrid interface. See Adding Virtual Switches.
Step 8 Select the Enabled check box to allow the hybrid interface to handle traffic.
If you clear the check box, the interface becomes disabled and administratively taken down.
Step 9 In the MTU field, type a maximum transmission unit (MTU), which designates the largest size packet allowed.
The range within which you can set the MTU can vary depending on the FireSIGHT System device model and the interface type. See MTU Ranges for Managed Devices for more information.
Step 10 Next to ICMP , select the Enable Responses check box to allow the interface to respond to ICMP traffic such as pings and traceroute.
Step 11 Next to IPv6 NDP , select the Enable Router Advertisement check box to enable the interface to broadcast router advertisements.
You can only select this option if you added IPv6 addresses.
Step 12 To add an IP address, click Add .
The Add IP Address pop-up window appears.
Step 13 In the Address field, type the IP address and subnet mask. Note the following:
Step 14 Optionally if you have IPv6 addresses, next to the IPv6 field, select the Address Autoconfiguration check box to set the IP address of the interface automatically.
Step 15 For Type , select either Normal or SFRP.
For SFRP options, see Configuring SFRP for more information.
Tip To edit an IP address, click the edit icon (). To delete an IP address, click the delete icon ().
The logical hybrid interface is added. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices.
Deleting Logical Hybrid Interfaces
The following procedure explains how to delete a logical hybrid interface.
Step 1 Select Devices > Device Management .
The Device Management page appears.
Step 2 Next to the device where you want to delete the logical hybrid interface, click the edit icon (
).
The Interfaces tab for that device appears.
Step 3 Next to the logical hybrid interface you want to delete, click the delete icon (
).
Step 4 When prompted, confirm that you want to delete the interface.
The interface is deleted. Note that your changes do not take effect until you apply the device configuration; see Applying Changes to Devices.
Feedback