Installation guide
58
Chapter 7 Configuring Master Engines and Virtual IPS Engines
4. (Interface for hosted Virtual IPS engine communications only) Define the Physical Interface
properties as explained in the table below.
Table 7.2 Physical Interface Properties for Hosted Virtual IPS Engine Communications
Options Explanation
Interface ID
The Interface ID automatically maps to a Physical Interface of the
same number during the initial configuration of the engine, but the
mapping can be changed as necessary through the engine's command
line interface. Changes to the Master Engine interface mapping do not
affect the Interface IDs that are defined for Virtual IPS engines in
Virtual Resource elements.
Type
Select Capture Interface or Inline Interface as the Interface Type for
hosted Virtual IPS engine communications.
Second Interface ID
(Inline Interface only)
Select a Second Interface ID for the Inline Interface. The Interface ID is
mapped to a Physical Interface during the initial configuration of the
engine.
Failure Mode
(Inline Interface only)
Select how traffic to the Inline Interface is handled if the Virtual IPS
engine goes offline.
There are two options:
Bypass: traffic is allowed through the Inline Interface without
inspection.
Normal: traffic is not allowed through the Inline Interface.
Note! If there are VLAN Interfaces under the Inline Interface, you must
select Bypass.
Caution! Using Bypass mode requires the Master Engine appliance to
have a fail-open network interface card. If the ports that represent the
pair of Inline Interface on the appliance cannot fail open, the policy
installation fails on the Virtual IPS engine. Bypass mode is not
compatible with VLAN re-tagging. In network environments where VLAN
re-tagging is used, Normal mode is automatically enforced.
Bypass Unspecified VLANs
(Inline Interface only)
When this option is selected, traffic from VLANs that are not allocated
to any Virtual IPS engine is bypassed without inspection. Deselect this
option to make the Master Engine block traffic from VLANs that are not
allocated to any Virtual IPS engine. We recommend that you keep this
option selected if you do not have a specific reason to deselect it.
Virtual Resource
The Virtual Resource associated with the interface. Select the same
Virtual Resource in the properties of the Virtual IPS engine element to
add the Virtual IPS engine to the Master Engine.
Only one Virtual Resource can be selected for each Physical Interface.
If you want to add multiple Virtual Resources, add VLAN Interfaces to
the Physical Interface and select the Virtual Resource in the VLAN
Interface properties as explained in Adding VLAN Interfaces for Master
Engines (page 60).
Allow VLAN Definition in
Virtual Engine
(Optional)
Select this option to allow VLAN Interfaces to be added to the
automatically created Physical Interfaces in the Virtual IPS engine that
is associated with this interface.