Configuring protection interfaces

Use the Protection Interfaces page to configure the Protection Mode and the Speed and Duplex mode for each interface.

Before you begin

Important: If your appliance is deployed on a VMware platform, you must perform special configuration tasks. For more information about configuring your virtual appliance, see Configuring the Network Security appliance for VMware.

About this task

Navigating in the Local Management Interface: if you are not configuring your appliance for the first time, click Manage > Protection Interfaces.

Navigating in the SiteProtector™ System: select the Protection Interfaces policy.

Note: By default, no MAC or IP address is associated with protection interfaces on the IBM QRadar Network Security appliance. However, you can assign an IP address to protection interfaces to implement a Network Access Policy rule that requires user authentication or that blocks HTTP traffic.

Procedure

  1. On the Protection Interfaces page, select a protection interface pair, and then click Edit.
  2. Configure the following options:
    Option Description
    Enable Enables or disables the protected interface pair.
    Inspection Mode Use this setting to determine how the appliance monitors and inspects traffic.
    Note: The default inspection mode is Protection.
    • Protection. The appliance monitors all traffic inline and blocks packets according to how you configured the Network Access Policy rules.
    • Simulation. The appliance monitors traffic inline, but does not block any traffic. Instead, the appliance monitors traffic and provides passive responses.
    • Monitoring. The appliance monitors traffic from a tap, hub, or span (mirror) interface of switches. Interfaces that are configured in Monitoring mode are not paired and each one can be used to monitor a different network segment.
    Tip: To select or disable high availability (HA) modes, use the High Availability tab on the Protection Interfaces page.
    Maximum Transmission Unit The largest size packet or frame to be accepted by each protection pair. Type a value of 68 - 9216 bytes.
    Note: The default value is 1500, which is Ethernet standard MTU.
    Larger MTU values can provide greater efficiency for bulk protocol throughput. However, larger MTU values can increase lag and minimum latency.
    Unanalyzed Policy Use this setting to determine what happens to network traffic that cannot be fully analyzed.
    • Forward. The appliance performs connection tracking if possible. It continues to discard packets that belong to blocked connections. Other packets are transmitted.
    • Drop. The appliance discards any packets that cannot be fully analyzed.
    Propagate Link Use this setting with inline protection interface pairs.
    • Yes. The link on the corresponding inline interface breaks when one of the links is down (such as when a cable is broken or disconnected).
    • No. The link on the corresponding inline interface is left intact when one of the links is down.
    • Auto. The appliance selects the appropriate setting that is based on the interface mode. In inline modes, link propagation is enabled. In Monitoring mode, link propagation is disabled.
    Hardware Bypass Mode Select the mode to allow or to prevent traffic if the appliance fails or is powered off:
    • Auto. In non-HA modes, all traffic is allowed to pass through the appliance (fail open). In HA mode, interface links are closed and traffic is prevented from passing through the appliance (fail closed).
    • Fail Open. Allows all network traffic to pass through the appliance.
    • Fail Closed. Closes the links for the interface pair and prevents any network traffic from passing through the appliance.
    Interface Settings Select the link speed and mode for each interface in a protected interface pair.
    • Auto. Allows two interfaces on a link to select the best common mode automatically, the moment a cable is connected. This setting is the best option for most environments. Exceptions include environments with a switch or other network device that does not support auto-negotiation, or in situations where the auto-negotiation process takes too long to establish a link.
    • 10 Mb Full Duplex. Allows information to be transmitted at 10 megabits per second in both directions at the same time.
    • 10 Mb Half Duplex. Allows a device to either transmit or receive at 10 megabits per second, but not at the same time.
    • 100 Mb Full Duplex. Allows information to be transmitted at 100 megabits per second in both directions at the same time.
    • 100 Mb Half Duplex. Allows a device to either transmit or receive at 100 megabits per second, but not at the same time.
    • 1000 Mb Full Duplex. Allows information to be transmitted at 1000 megabits per second in both directions at the same time.
    • 10,000 Mb Full Duplex. Allows information to be transmitted at 10,000 megabits per second in both directions at the same time.
    TCP Resets

    (Monitoring mode only)

    		 This setting indicates the interface that is used to inject TCP reset frames to terminate TCP connections in monitoring mode. The appliance cannot block or reject traffic in monitoring mode, but it can terminate TCP traffic connections. Select one of the following settings:
    • This interface. The appliance injects the TCP reset frame into the same monitoring interface that received the TCP traffic that triggered an IPS event or that matched a Network Access Policy rule. This option cannot be used if the monitoring interface is connected to a read-only link, such as a read-only tap.
    • TCP reset interface. The appliance injects the TCP reset frame into the management interface that is designated as the TCP Reset interface. You must configure a management interface as the TCP Reset interface on the Management Interfaces page.
    • Disabled. The appliance does not inject any TCP resets for the traffic that is received on this monitoring interface.
    Important: Terminating TCP connections by injecting resets is not guaranteed to be effective in Monitoring mode. To ensure effective blocking, use Protection mode.
    MTU (Maximum Transmission Unit) The largest size packet or frame to be accepted by each protection pair. Type a value of 68 - 9216 bytes.
    Note: The default value is 1500, which is Ethernet standard MTU.
    Larger MTU values can provide greater efficiency for bulk protocol throughput. However, larger MTU values can increase lag and minimum latency. Larger packets are also more likely to become corrupted.
    IPv4/IPv6 Settings

    This setting provides the IP address that users are redirected to by a Network Access Policy rule that requires user authentication or that blocks HTTP traffic.

    Enter a static IP address that the client network can reach and an appropriate netmask. The gateway is the next hop to the external network (usually this address is the IP address of your router).
    Note: A separate IP configuration is required for IPv4 and IPv6 traffic. Only the type of traffic that is inspected on your network requires a protection pair IP address.
    Select either IPv4 Settings or IPv6 Settings, and then type the appropriate information in each box.

    IPv4 Settings:

    • Address
    • Netmask
    • Gateway
    IPv6 Settings:
    • Address
    • Prefix
    • Gateway
  3. Click Submit.
  4. Optional: If you are configuring your appliance for the first time, click Next Page to configure the next setting.

What to do next

If you are not configuring your appliance for the first time, you must deploy the updated policy for the changes to take effect.
Parent topic: Configuring initial appliance settings in the LMI
Previous topic: Configuring host name and DNS information
Next topic: Configuring date and time settings
Parent topic: Network Settings
Related tasks:
Configuring high availability
Opening an IBM QRadar Network Security policy in the SiteProtector System
Configuring the protection interface IP address on the Network Security appliance for VMware