The Sourcefire NGIPS/NGFW solution is a way to quickly get some interesting information about traffic on a network. One of the things I like about the solution is that actionable information is almost immediately available after deployment.
There are five deployment modes for a Sourcefire Firepower appliance:
Passive and inline modes are the two deployment options for the Virtual versions of the Firepower appliances. Inline mode provides significant advantages over simple passive monitoring. Inline mode allows the appliance to block offending traffic or communications that violates the configured policy. Following the installation guide is straightforward and should allow a security engineer to quickly get this solution up and running.
The first time I ran through this process, I couldn’t get traffic to flow through the inline appliance. After struggling a while, I reconfigured the device into passive mode and spanned some traffic over to it. At first I didn’t see any statistics. After realizing that I also needed to configure VMWare to accept promiscuous mode, I quickly started getting interesting information in the Firesight dashboard.
At this point, a thought occurred to me. What if the Firepower appliance had no layer 2 hooks and forwarded traffic that blindly landed on its interface pairs. In that case, it may need promiscuous ports for inline mode to work. I reconfigured the inline pair and configured VMWare to allow promiscuous mode. It is worth noting that the physical switch ports were not placed into span or monitor mode. After making the change to the virtual networks, traffic properly flowed through the Firepower Virtual Appliance.
Those deploying Firepower virtual appliance should consider the need to configure the virtual ports to allow promiscuous mode. These port-group settings are found in the global network settings. Changing the applicable port-groups as shown above, along with a permissive access control policy, should allow the traffic to flow through the virtual appliance. The access control policy can be adjusted as necessary to appropriately permit and deny traffic.
Disclaimer: This article includes the independent thoughts, opinions, commentary or technical detail of Paul Stewart. This may or may not reflect the position of past, present or future employers.