2 Replies Latest reply on Jun 3, 2015 12:54 AM by TK45

    What is "IDS monitoring" in the role of IPS only.




      This is a basic question, McAfee NGFW can select 3 roles, L3FW/VPN, IPS, L2FW.

      I think following guide says that the difference of role between IPS and L2FW are "IDS monitoring" and "Fail-open interface" basically.



      But, I don't understand where do I confirm "IDS monitoring" in SMC.

      Could anyone know it?




        • 1. Re: What is "IDS monitoring" in the role of IPS only.



          The big difference between FW/VPN and the two other roles, IPS and L2FW is that the first is a routing device operating on layer 3. It has IP addresses on its interfaces and sits on segment boundaries.


          On the other hand, IPS and L2 firewall are L2 devices, meaning they are not routers, do not have IP addresses (except for management connectivity), and therefore do not constitute a segment border. Also they do not support features such as VPN or NAT. L2 devices are invisible on the network, to communicating hosts they are as good as a section of UTP cable, when everything is working correctly.


          You can see from this difference how deployment of the different roles on a network is quite different.


          "IDS monitoring" refers to capture intefaces on IDS devices. This is a configuration where a switch is configured to copy all or a part of traffic on a segment to a mirror port, which is connected to the IPS. IPS will be able to inspect traffic and raise alerts and blacklists, though it cannot terminate the original connection since only a copy is seen on the device. You can configure this in SMC by creating "capture interface" type physical interfaces in an engine.

          • 2. Re: What is "IDS monitoring" in the role of IPS only.



            Thank you for your comment.

            L2FW can create the capture interface in SMC, I think. So L2FW can also have "IDS monitoring" feature, right?