1.2 Implement NGIPS modes Flashcards
What are the four NGIPS interface modes?
Inline Mode, Inline-Tap Mode, Passive Mode, Passive ERSPAN Mode.
What is the key difference between Inline Mode and Inline-Tap Mode?
Inline Mode actively blocks/modifies traffic, while Inline-Tap Mode only logs and alerts without blocking.
Why does Inline Mode not support NAT?
Inline Mode functions transparently and does not modify Layer 3 addressing, making NAT unsupported.
When should you use Passive ERSPAN Mode?
When monitoring traffic remotely without direct Layer 2 connectivity by forwarding mirrored traffic over an IP network.
What happens to traffic if Snort is down and Fail-Open (Down) is enabled?
Traffic is allowed to pass uninspected instead of being dropped.
How do you verify the current Inline Set configuration?
Use the command show inline-set to display the summary of the configuration.
Why must all interfaces related to Asynchronous Traffic be added to an Inline Set?
To ensure NGIPS correctly correlates ingress and egress traffic, preventing packet drops.
What is the primary use case for Passive Mode?
To monitor and detect threats without modifying or blocking live traffic.
What is the main purpose of Passive ERSPAN Mode?
It allows remote traffic monitoring by encapsulating mirrored traffic and forwarding it over an IP network.
Which protocol does ERSPAN use to encapsulate mirrored traffic?
ERSPAN uses GRE (Generic Routing Encapsulation) to transport mirrored traffic over an IP network.
What is a key requirement for ERSPAN Mode to function correctly?
The mirrored traffic must be encapsulated and forwarded over an IP network to NGIPS.
What is the difference between Fail-Open (Busy) and Fail-Open (Down)?
Fail-Open (Busy) allows uninspected traffic if Snort is overloaded, while Fail-Open (Down) allows uninspected traffic if Snort crashes.
Why might you use Inline-Tap Mode instead of Passive Mode?
Inline-Tap Mode allows full inspection of live traffic without enforcing blocking policies, making it useful for security testing and policy evaluation.
What is the key difference between Passive Mode and Inline-Tap Mode?
Passive Mode monitors mirrored traffic and cannot block threats, while Inline-Tap Mode inspects real traffic but does not actively block it.
How does Inline-Tap Mode inspect traffic?
It receives traffic directly (not mirrored) and processes it as if it were Inline Mode but does
Which mode is best for a production environment where security policies need to be tested before enabling blocking?
Inline-Tap Mode is best for testing security policies in a real traffic environment without impacting users.
