Configuring IPS Sniffer Mode

To configure the firewall for IPS Sniffer Mode, you will use two interfaces in the same zone for the L2 Bridge-Pair. You can use any interfaces except the WAN interface. For this example, we will use X2 and X3 for the Bridge-Pair, and configure them to be in the LAN zone. The WAN interface (X1) is used by the firewall for access to the firewall Data Center as needed. The mirrored port on the switch will connect to one of the interfaces in the Bridge-Pair.

Topics:

•	Configuration Task List for IPS Sniffer Mode

•	Configuring the Primary Bridge Interface

•	Configuring the Secondary Bridge Interface

•	Enabling and Configuring SNMP

•	Configuring Security Services (Unified Threat Management)

•	Configuring Logging

•	Connecting the Mirrored Switch Port to a IPS Sniffer Mode Interface

•	Connecting and Configuring the WAN Interface to the Data Center

Configuration Task List for IPS Sniffer Mode

•	Configure the Primary Bridge Interface

•	Select LAN as the Zone for the Primary Bridge Interface

•	Assign a static IP address

•	Configure the Secondary Bridge Interface

•	Select LAN as the Zone for the Secondary Bridge Interface

•	Enable the L2 Bridge to the Primary Bridge interface

•	Enable SNMP and configure the IP address of the SNMP manager system where traps can be sent

•	Configure Security Services (UTM) for LAN traffic

•	Configure logging alert settings to “Alert” or below

•	Connect the mirrored port on the switch to either one of the interfaces in the Bridge-Pair

•	Connect and configure the WAN to allow access to dynamic signature data over the Internet

Configuring the Primary Bridge Interface

1	Select the Network tab, Interfaces folder from the navigation panel.

2	Click the Configure icon in the right column of interface X2.

3	In the Edit Interface dialog box on the General tab, select LAN from the Zone drop-down list.

NOTE: You do not need to configure settings on the Advanced or VLAN Filtering tabs.

4	For IP Assignment, select Static from the drop-down list.

5	Configure the interface with a static IP Address (for example, 10.1.2.3). The IP address you choose should not collide with any of the networks that are seen by the switch.

NOTE: The Primary Bridge Interface must have a static IP assignment.

6	Configure the Subnet Mask.

7	Type in a descriptive comment.

8	Select management options for the interface (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).

9

Click OK.

Configuring the Secondary Bridge Interface

Our example continues with X3 as the secondary bridge interface.

1	Select the Network tab, Interfaces folder from the navigation panel.

2	Click the Configure icon in the right column of the X3 interface.

3	In the Edit Interface dialog box on the General tab, select LAN from the Zone drop-down list.

NOTE: You do not need to configure settings on the Advanced or VLAN Filtering tabs.

4	In the IP Assignment drop-down list, select Layer 2 Bridged Mode.

5	In the Bridged to drop-down list, select the X2 interface.

6	Do not enable the Block all non-IPv4 traffic setting if you want to monitor non-IPv4 traffic.

7	Select Never route traffic on this bridge-pair to ensure that the traffic from the mirrored switch port is not sent back out onto the network.

8	Select Only sniff traffic on this bridge-pair to enable sniffing or monitoring of packets that arrive on the L2 Bridge from the mirrored switch port.

9	Select Disable stateful-inspection on this bridge-pair to exempt these interfaces from stateful high availability inspection. If Deep Packet Inspection services are enabled for these interfaces, the DPI services will continue to be applied.

10	Configure management (HTTP, HTTPS, Ping, SNMP, SSH, User Logins, HTTP Redirects).

11

Click OK.

Enabling and Configuring SNMP

When SNMP is enabled, SNMP traps are automatically triggered for many events that are generated by SonicWALL Security Services such as Intrusion Prevention and Gateway Anti-Virus.

More than 50 IPS and GAV events currently trigger SNMP traps. The SonicOS Log Event Reference Guide contains a list of events that are logged by SonicOS, and includes the SNMP trap number where applicable. The guide is available online at http://www.sonicwall.com/us/Support.html by typing Log Event into the Search field at the top of the page.

To determine the traps that are possible when using IPS Sniffer Mode with Intrusion Prevention enabled, search for Intrusion in the table found in the Index of Log Event Messages section in the SonicOS Log Event Reference Guide. The SNMP trap number, if available for that event, is printed in the SNMP Trap Type column of the table.

To determine the possible traps with Gateway Anti-Virus enabled, search the table for Security Services, and view the SNMP trap number in the SNMP Trap Type column.

To enable and configure SNMP:

1	Navigate to the System > SNMP page.

2	Select Enable SNMP.

3	Click Accept. The Configure icon becomes active and the View, User/Group, and Access sections are displayed.

4	Click Configure. The SNMP Settings dialog box is displayed.

5	In the SNMP Settings dialog box, for System Name, type the name of the SNMP manager system that will receive the traps sent from the firewall.

6	Enter the name or email address of the contact person for the SNMP Contact

7	Enter a description of the system location, such as “3rd floor lab”.

8	Enter the system’s asset number.

9	For Get Community Name, type the community name that has permissions to retrieve SNMP information from the firewall, for example, public.

10	For Trap Community Name, type the community name that will be used to send SNMP traps from the firewall to the SNMP manager, for example, public.

11	For the Host fields, type in the IP address(es) of the SNMP manager system(s) that will receive the traps.

12

Click OK.