Configuring Wire and Tap Mode

 

• Configuring an Interface for Wire Mode
• Configuring Wire Mode for a WAN/LAN Zone Pair
• Configuring Wire Mode with Link Aggregation

SonicOS supports Wire Mode and Tap Mode, which provide methods of non-disruptive, incremental insertion into networks. Wire and Tap Mode Settings describe the wire and tap modes.

Wire and Tap Mode Settings

Wire Mode Settings	Description
Bypass Mode	Bypass Mode allows for the quick and relatively non-interruptive introduction of appliance hardware into a network. Upon selecting a point of insertion into a network (for example, between a core switch and a perimeter appliance, in front of a VM server farm, at a transition point between data classification domains), the appliance is inserted into the physical data path, requiring a very short maintenance window. One or more pairs of switch ports on the appliance are used to forward all packets across segments at full line rates, with all the packets remaining on the appliance’s 240Gbps switch fabric rather than getting passed up to the multi-core inspection and enforcement path. While Bypass Mode does not offer any inspection or firewalling, this mode allows you to physically introduce the appliance into the network with a minimum of downtime and risk, and to obtain a level of comfort with the newly inserted component of the networking and security infrastructure. You can then transition from Bypass Mode to Inspect or Secure Mode instantaneously through a simple user-interface driven reconfiguration.
Inspect Mode	Inspect Mode extends Bypass Mode without functionally altering the low-risk, zero-latency packet path. Packets continue to pass through the appliance’s switch fabric, but they are also mirrored to the multi-core RF-DPI engine for the purposes of passive inspection, classification, and flow reporting. This reveals the appliance’s Application Intelligence and threat detection capabilities without any actual intermediate processing.
Secure Mode	Secure Mode is the progression of Inspect Mode, actively interposing the appliance’s multi-core processors into the packet processing path. This unleashes the inspection and policy engines’ full-set of capabilities, including Application Intelligence and Control, Intrusion Prevention, Gateway Anti-Virus and Cloud Gateway Anti-Virus, Anti-Spyware, and Content Filtering. Secure Mode affords the same level of visibility and enforcement as conventional NAT or L2 Bridged Mode deployments, but without any L3/L4 transformations, and with no alterations of ARP or routing behavior. Secure Mode thus provides an incrementally attainable NGFW deployment requiring no logical and only minimal physical changes to existing network designs. Secure mode should be used when creating wire-mode pairs for VLAN translation.
Tap Mode	Tap Mode provides the same visibility as Inspect Mode, but differs from the latter in that it ingests a mirrored packet stream through a single switch port on the appliance, eliminating the need for physically intermediated insertion. Tap Mode is designed for use in environments employing network taps, smart taps, port mirrors, or SPAN ports to deliver packets to external devices for inspection or collection. Like all other forms of Wire Mode, Tap Mode can operate on multiple concurrent port instances, supporting discrete streams from multiple taps.

Wire modes: Functional differences summarizes the key functional differences between modes of interface configuration:

Wire Modes: Functional Differences

Interface Configuration	Bypass Mode	Inspect Mode	Secure Mode	Tap Mode	L2 Bridge, Transparent, NAT, Route Modes
Active/Active Clustering1 a These functions or services are unavailable on interfaces configured in Wire Mode, but remain available on a system-wide level for any interfaces configured in other compatible modes of operationb Not available in L2 Bridged Mode.c Link State Propagation is a feature whereby interfaces in a Wire Mode pair mirror the link-state triggered by transitions of their partners. This is essential to proper operations in redundant path networks. Link State Propagation is not supported in Wire Mode over VLAN interfaces.d Disabled by design in Wire Mode to allow for failover events occurring elsewhere on the network to be supported when multiple Wire Mode paths, or when multiple firewall units are in use along redundant or asymmetric paths.e VLAN Translation is not supported in Wire Mode over VLAN interfaces.	No	No	No	No	Yes
Application Control	No	No	Yes	No	Yes
Application Visibility	No	Yes	Yes	Yes	Yes
ARP/Routing/NATa	No	No	No	No	Yes
Comprehensive Anti-Spam Servicea	No	No	No	No	Yes
Content Filtering	No	No	Yes	No	Yes
DHCP Servera	No	No	No	No	Yesb
DPI Detection	No	Yes	Yes	Yes	Yes
DPI Prevention	No	No	Yes	No	Yes
DPI-SSLa	No	No	Yes	No	Yes
High-Availability	Yes	Yes	Yes	Yes	Yes
Link-State Propagationc	Yes	Yes	Yes	No	No
Stateful Packet Inspection	No	Yes	Yes	Yes	Yes
TCP Handshake Enforcementd	No	No	No	No	Yes
Virtual Groupsa	No	No	No	No	Yes
VLAN Translatione	No	No	Yes	No	No

When operating in Wire Mode, the firewall’s dedicated Management interface is used for local management. To enable remote management and dynamic security services and application intelligence updates, a WAN interface (separate from the Wire Mode interfaces) must be configured for Internet connectivity. This is easily done given that SonicOS supports interfaces in mixed-modes of almost any combination.