SonicOS 7 System

Configuring Wire and Tap Mode

SonicOS supports Wire Mode and Tap Mode, which provide methods of non-disruptive, incremental insertion into networks. Wire and Tap Mode Settings describe the wire and tap modes.

Wire and Tap Mode Settings
Wire Mode Settings Description
Bypass Mode Bypass Mode allows for the quick and relatively non-interruptive introduction of appliance hardware into a network. Upon selecting a point of insertion into a network (for example, between a core switch and a perimeter appliance, in front of a VM server farm, at a transition point between data classification domains), the appliance is inserted into the physical data path, requiring a very short maintenance window. One or more pairs of switch ports on the appliance are used to forward all packets across segments at full line rates, with all the packets remaining on the appliance’s 240Gbps switch fabric rather than getting passed up to the multi-core inspection and enforcement path. While Bypass Mode does not offer any inspection or firewalling, this mode allows you to physically introduce the appliance into the network with a minimum of downtime and risk, and to obtain a level of comfort with the newly inserted component of the networking and security infrastructure. You can then transition from Bypass Mode to Inspect or Secure Mode instantaneously through a simple user-interface driven reconfiguration.
Inspect Mode Inspect Mode extends Bypass Mode without functionally altering the low-risk, zero-latency packet path. Packets continue to pass through the appliance’s switch fabric, but they are also mirrored to the multi-core RF-DPI engine for the purposes of passive inspection, classification, and flow reporting. This reveals the appliance’s Application Intelligence and threat detection capabilities without any actual intermediate processing.
Secure Mode Secure Mode is the progression of Inspect Mode, actively interposing the appliance’s multi-core processors into the packet processing path. This unleashes the inspection and policy engines’ full-set of capabilities, including Application Intelligence and Control, Intrusion Prevention, Gateway Anti-Virus and Cloud Gateway Anti-Virus, Anti-Spyware, and Content Filtering. Secure Mode affords the same level of visibility and enforcement as conventional NAT or L2 Bridged Mode deployments, but without any L3/L4 transformations, and with no alterations of ARP or routing behavior. Secure Mode thus provides an incrementally attainable NGFW deployment requiring no logical and only minimal physical changes to existing network designs.
Secure mode should be used when creating wire-mode pairs for VLAN translation.
Tap Mode Tap Mode provides the same visibility as Inspect Mode, but differs from the latter in that it ingests a mirrored packet stream through a single switch port on the appliance, eliminating the need for physically intermediated insertion. Tap Mode is designed for use in environments employing network taps, smart taps, port mirrors, or SPAN ports to deliver packets to external devices for inspection or collection. Like all other forms of Wire Mode, Tap Mode can operate on multiple concurrent port instances, supporting discrete streams from multiple taps.

Wire modes: Functional differences summarizes the key functional differences between modes of interface configuration:

Wire Modes: Functional Differences
Interface Configuration Bypass Mode Inspect Mode Secure Mode Tap Mode L2 Bridge, Transparent, NAT, Route Modes
Active/Active Clustering1 No No No No Yes
Application Control No No Yes No Yes
Application Visibility No Yes Yes Yes Yes
ARP/Routing/NATa No No No No Yes
Comprehensive Anti-Spam Servicea No No No No Yes
Content Filtering No No Yes No Yes
DHCP Servera No No No No Yesb
DPI Detection No Yes Yes Yes Yes
DPI Prevention No No Yes No Yes
DPI-SSLa No No Yes No Yes
High-Availability Yes Yes Yes Yes Yes
Link-State Propagationc Yes Yes Yes No No
Stateful Packet Inspection No Yes Yes Yes Yes
TCP Handshake Enforcementd No No No No Yes
Virtual Groupsa No No No No Yes
VLAN Translatione No No Yes No No

When operating in Wire Mode, the firewall’s dedicated Management interface is used for local management. To enable remote management and dynamic security services and application intelligence updates, a WAN interface (separate from the Wire Mode interfaces) must be configured for Internet connectivity. This is easily done given that SonicOS supports interfaces in mixed-modes of almost any combination.

Was This Article Helpful?

Help us to improve our support portal

Techdocs Article Helpful form

  • Hidden
  • Hidden

Techdocs Article NOT Helpful form

  • Still can't find what you're looking for? Try our knowledge base or ask our community for more help.
  • Hidden
  • Hidden