Deployment options for FlexEdge Secure SD-WAN Engines
There are several ways to deploy Secure SD-WAN Engines depending on how you want to inspect and respond to traffic.
| Secure SD-WAN role | Deployment type | Description |
|---|---|---|
| Engine/VPN | Layer 3 deployment only | Secure SD-WAN Engines in the Engine/VPN role have only Layer 3 Physical Interfaces. The Secure SD-WAN Engines provide only the features and traffic inspection that are available for Secure SD-WAN Engines in the Engine/VPN role. |
| Multi-layer deployment |
Secure SD-WAN Engines in the Engine/VPN role have both Layer 2 Physical Interfaces and Layer 3 Physical Interfaces. Layer 2 Physical Interfaces on Secure SD-WAN Engines in the Engine/VPN role allow the engine to provide the same kind of traffic inspection that is available for Secure SD-WAN Engines in the IPS and Layer 2 Engine roles. The Secure SD-WAN Engine also supports the features and traffic inspection that are available for Secure SD-WAN Engines in the Engine/VPN role. Note: Multi-layer deployment requires advanced configuration that is outside the scope of this guide. For configuration steps, see the Forcepoint FlexEdge Secure SD-WAN Product Guide.
|
|
| IPS | Inline | The traffic flows through the IPS engine. The IPS engine has full control over the traffic flow and can automatically block any traffic. An inline IPS engine can also enforce block listing commands from other components. Fail-open network cards can ensure that traffic flow is not disrupted when the IPS engine is offline. An inline IPS engine also provides access control and logging for any Ethernet traffic (layer 2). |
| Capture | External equipment duplicates the traffic flow for inspection, and the IPS engine passively monitors traffic. The IPS engine does not have direct control over the traffic flow, but it can respond to selected threats by sending packets that reset the connections. An IDS-only IPS engine can send block listing requests to other IPS engines, Layer 2 Engines, or Engines, but it cannot enforce block listing requests from other components. | |
| Layer 2 Engine | Inline | The traffic flows through the Layer 2 Engine. The Layer 2 Engine has full control over the traffic flow and can automatically block any traffic. An inline Layer 2 Engine can also enforce block listing commands received from other components. An inline Layer 2 Engine also provides access control and logging for any Ethernet traffic (layer 2). |
| Capture (Passive Engine) |
In a Capture (Passive Engine) installation, external equipment duplicates the traffic flow for inspection to the Layer 2 Engine, and the Layer 2 Engine passively monitors traffic. The Layer 2 Engine does not have direct control over the traffic flow, but it can respond to selected threats by sending packets that reset the connections. A Layer 2 Engine in Passive Engine mode can send block listing requests to other Layer 2 Engine, IPS engines, or Engines. It cannot enforce block listing requests from other components. |
|
| Passive Inline | In a Passive Inline installation, the traffic flows through the Layer 2 Engine, but the Layer 2 Engine only logs connections. A Layer 2 Engine in Passive inline mode can send block listing requests to other Layer 2 Engines, IPS engines, or Engines. It cannot enforce block listing requests from other components. |
There are two ways to connect Capture Interfaces on Engines, IPS engines, and Layer 2 Engines to your networks to capture network traffic.
| Option | Description |
|---|---|
| Switched Port Analyzer (SPAN) port | A SPAN port captures network traffic to a defined port on an external switch. This action is also known as port mirroring. The capturing is passive, so it does not interfere with the traffic. All traffic to be monitored must be copied to this SPAN port. |
| Network Test Access Port (TAP) | A network TAP is a passive device at the network wire between network devices. The capturing is done passively, so it does not interfere with the traffic. With a network TAP, the two directions of the network traffic are divided to separate wires. For this reason, the IPS engine or Layer 2 Engine needs two capture interfaces for a network TAP; one capture interface for each direction of the traffic. The two related capture interfaces must have the same logical interface that combines the traffic of these two interfaces for inspection. You could also use the pair of capture interfaces to monitor traffic in two separate network devices. |