Installation guide
38
Chapter 5 Defining IPS Engines
Defining Traffic Inspection Interfaces for IPS Engines
IPS engines pick up passing network traffic for inspection in real time. The traffic can either be
captured for inspection through the engine’s Capture Interfaces, or it can be inspected as it
flows through the engine’s Inline Interfaces. You can define both Capture Interfaces and Inline
Interfaces for the same IPS engine.
An IPS engine can actively filter only traffic that attempts to pass through its Inline Interfaces.
However, it can reset traffic picked up through Capture Interfaces if you set up specific Reset
Interfaces. The Reset Interfaces can send TCP resets and ICMP “destination unreachable”
messages when the communications trigger a response. You can use a system communications
interface for sending resets if the resets are routed correctly through that interface and there
are no VLANs on the interface.
When traffic is inspected, it may be important to know the interface through which it arrives to
the IPS engine. It is also important to be able to distinguish an IPS engine’s Capture Interfaces
from its Inline Interfaces. Logical Interface elements are used for both these purposes. They
allow you to group together interfaces that belong to the same network segment and to identify
the type of the traffic inspection interface (Capture Interface or Inline Interface).
What’s Next?
If you want to create both Capture and Inline Interfaces on the same IPS engine, or if
you want to create Logical Interfaces to distinguish interfaces from each other, proceed
to Defining Logical Interfaces (page 39).
If you do not want to use an existing system communication interface as the Reset
Interface, define the new Reset Interfaces as instructed in Defining Reset Interfaces
(page 40).
To define Capture Interfaces, proceed to Defining Capture Interfaces (page 40).
To define Inline Interfaces, proceed to Defining Inline Interfaces (page 41).