IPS Sniffer Mode (SonicWall NSA series appliances)

Supported on SonicWall NSA series appliances, IPS Sniffer Mode is a variation of Layer 2 Bridge Mode that is used for intrusion detection. IPS Sniffer Mode configuration allows an interface on the SonicWall to be connected to a mirrored port on a switch to examine network traffic. Typically, this configuration is used with a switch inside the main gateway to monitor traffic on the intranet.

In Network Using IPS Sniffer Mode Interface, traffic flows into a switch in the local network and is mirrored through a switch mirror port into a IPS Sniffer Mode interface on the SonicWall security appliance. The SonicWall inspects the packets according to the firewall settings configured on the Bridge-Pair. Alerts can trigger SNMP traps which are sent to the specified SNMP manager via another interface on the SonicWall. The network traffic is discarded after the SonicWall inspects it.

The WAN interface of the SonicWall is used to connect to the SonicWall Data Center for signature updates or other data.

Network Using IPS Sniffer Mode Interface

In IPS Sniffer Mode, a Layer 2 Bridge is configured between two interfaces in the same zone on the SonicWall, such as LAN-LAN or DMZ-DMZ. You can also create a custom zone to use for the Layer 2 Bridge. Only the WAN zone is not appropriate for IPS Sniffer Mode.

The reason for this is that SonicOS detects all signatures on traffic within the same zone such as LAN-LAN traffic, but some directional specific (client-side versus server-side) signatures do not apply to some LAN-WAN cases.

Either interface of the Layer 2 Bridge can be connected to the mirrored port on the switch. As network traffic traverses the switch, the traffic is also sent to the mirrored port and from there into the SonicWall for deep packet inspection. Malicious events trigger alerts and log entries, and if SNMP is enabled, SNMP traps are sent to the configured IP address of the SNMP manager system. The traffic does not actually continue to the other interface of the Layer 2 Bridge. IPS Sniffer Mode does not place the SonicWall appliance inline with the network traffic, it only provides a way to inspect the traffic.

The Edit Interfaces dialog from the Network > Interfaces page provides a new check box called Only sniff traffic on this bridge-pair for use when configuring IPS Sniffer Mode. When selected, this check box causes the SonicWall to inspect all packets that arrive on the L2 Bridge from the mirrored switch port. The Never route traffic on this bridge-pair check box should also be selected for IPS Sniffer Mode to ensure that the traffic from the mirrored switch port is not sent back out onto the network. (The Never route traffic on this bridge-pair setting is known as Captive-Bridge Mode.)

For detailed instructions on configuring interfaces in IPS Sniffer Mode, see Configuring IPS Sniffer Mode (SonicWall NSA Series Appliances).