1 2 Previous Next 10 Replies Latest reply on Mar 13, 2015 10:49 AM by vnippula

    NGF Using IPS role

    juanles

      Hi everybody,

      Is it possible to use  bridge VLAN in a NGFW with its IPS role?

      I was looking for some information but I only have found that its interfaces must have the same VLAN ID. As you know, an IPS that uses bridge VLAN needs VLAN pairs, a VLAN for the untrusted traffic and other for the trusted traffic. All the traffic that passes for the IPS is re-tag if it is approved by the policy in the IPS.

       

      I hope you can help me.

       

      Best regards

        • 1. Re: NGF Using IPS role
          Peter M

          Moved from Community Interface Help to Business > Next Generation Firewall for better response.

          ---

          Peter

          Moderator

          • 2. Re: NGF Using IPS role
            lnurmi

            Hi,

             

            this is possible if you have SMC 5.7 and NGFW 5.7 versions or newer. See the enhancements in v5.7 release notes (McAfee | License Center):

             

            "VLAN Interface support for IPS engines and Layer 2 Firewalls

            You can now use VLAN Interfaces and re-tag network traffic on IPS engines and Layer 2 Firewalls. The settings are configured in the engine properties."

             

            So essentially you just configure different VLANs for the individual inline interfaces:

             

            BR,

            Lauri

            • 3. Re: NGF Using IPS role
              juanles

              Hi Inurmi,

               

              I will review the release notes, thank you a lot for you response.

               

              Best regards.

              • 4. Re: NGF Using IPS role
                juanles

                Hi Inurmi,

                 

                I've just upgrade the NGF and I tried to do the configuration int the inline interface, but when I uploaded policy I get the following:

                2015-03-04 13_30_57-NGF Using IPS role _ McAfee Communities.png

                and the configuration at the  inline interface is:

                2015-03-04 13_34_38-Windows Server 2008 x64 - VMware Workstation.png

                I am looking for more information about this kind of configuration, if you have something else, it would be appreciated.

                 

                 

                Best regards

                • 5. Re: NGF Using IPS role
                  thyvarin

                  Hi,

                   

                  What is the NGFW version you are using on this IPS? If you have active support for this IPS engine, I would recommend that you open Service Request to NGFW support so this can be investigated further based on sginfos etc.

                   

                  BR,

                  Tero

                  • 6. Re: NGF Using IPS role
                    juanles

                    Hi Tero,

                     

                    The version of NGF is 5.8.1 build 12053. I am doing this scenery in a laboratory and then I have to deploy this on a productive environment. I don't have an active support for this IPS.

                     

                    Best regards.

                    • 7. Re: NGF Using IPS role
                      thyvarin

                      Hi,

                       

                      It does look like this is issue in check that IPS engine does as we were able to replicate this. If you have valid support for production IPS engine(s), I would suggest creating SR to see if we can get workaround to this issue for you.

                       

                      BR,

                      Tero

                      • 8. Re: NGF Using IPS role
                        juanles

                        Hi Tero,

                         

                        We have made the Active-Standby cluster configuration and in this form the Bridge VLAN works. Is there a way where the Bridge VLAN works in balancing cluster configuration?

                         

                        Thank you a lot for your comments.

                         

                        Best Regards

                        • 9. Re: NGF Using IPS role
                          lnurmi

                          Hi,

                           

                          I believe retagging is not possible with IPS active-active serial cluster. Even if the first online node would not inspect the connection it would still retag the packets. So in your case the first node would retag packets from VLAN 5 to VLAN 50, and when they come to second node for inspection they'd be in VLAN 50, not in VLAN 5 like it would expect.

                           

                          BR,
                          Lauri

                          1 2 Previous Next