Getting the Sourcefire Firepower VM working Inline

The Sourcefire NGIPS/NGFW solution is a way to quickly get some interesting information about traffic on a network. One of the things I like about the solution is that actionable information is almost immediately available after deployment.

Sourcefire Screenshot

There are five deployment modes for a Sourcefire Firepower appliance:

  • Routed
  • Switched
  • Hybrid
  • Inline
  • Passive

Passive and inline modes are the two deployment options for the Virtual versions of the Firepower appliances. Inline mode provides significant advantages over simple passive monitoring. Inline mode allows the appliance to block offending traffic or communications that violates the configured policy. Following the installation guide is straightforward and should allow a security engineer to quickly get this solution up and running.

The first time I ran through this process, I couldn’t get traffic to flow through the inline appliance. After struggling a while, I reconfigured the device into passive mode and spanned some traffic over to it. At first I didn’t see any statistics. After realizing that I also needed to configure VMWare to accept promiscuous mode, I quickly started getting interesting information in the Firesight dashboard.

At this point, a thought occurred to me. What if the Firepower appliance had no layer 2 hooks and forwarded traffic that blindly landed on its interface pairs. In that case, it may need promiscuous ports for inline mode to work. I reconfigured the inline pair and configured VMWare to allow promiscuous mode. It is worth noting that the physical switch ports were not placed into span or monitor mode. After VMWare Promiscuous Acceptmaking the change to the virtual networks, traffic properly flowed through the Firepower Virtual Appliance.


Those deploying Firepower virtual appliance should consider the need to configure the virtual ports to allow promiscuous mode. These port-group settings are found in the global network settings. Changing the applicable port-groups as shown above, along with a permissive access control policy, should allow the traffic to flow through the virtual appliance. The access control policy can be adjusted as necessary to appropriately permit and deny traffic.



Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may not reflect the position of past, present or future employers.

About Paul Stewart, CCIE 26009 (Security)

Paul is a Network and Security Engineer, Trainer and Blogger who enjoys understanding how things really work. With over 15 years of experience in the technology industry, Paul has helped many organizations build, maintain and secure their networks and systems.
This entry was posted in How-To and tagged . Bookmark the permalink.

2 Responses to Getting the Sourcefire Firepower VM working Inline

  1. Ray says:

    Hi Paul,
    I have config service policy redirect to sfr. Firesight virtual appliance can ping sfr. Vswitch is in promiscuous mode. But the firesight dashboard only show no data. How to trouble shoot this issue?

  2. David says:

    Hi Paul,
    i need to learn how to use Firepower and was wondering if you had any suggestions on how i can set up a virtual lab at home?

Comments are closed.