Deployment options for Forcepoint NGFW Engines
There are several ways to deploy Forcepoint NGFW Engines depending on how you want to inspect and respond to traffic.
| Forcepoint NGFW role | Deployment type | Description |
|---|---|---|
| Firewall/VPN | Layer 3 deployment only | NGFW Engines in the Firewall/VPN role have only Layer 3 Physical Interfaces. The NGFW Engines provide only the features and traffic inspection that are available for NGFW Engines in the Firewall/VPN role. |
| Multi-layer deployment |
NGFW Engines in the Firewall/VPN role have both Layer 2 Physical Interfaces and Layer 3 Physical Interfaces. Layer 2 Physical Interfaces on NGFW Engines in the Firewall/VPN role allow the engine to provide the same kind of traffic inspection that is available for NGFW Engines in the IPS and Layer 2 Firewall roles. The NGFW Engine also supports the features and traffic inspection that are available for NGFW Engines in the Firewall/VPN role. Note: Multi-layer deployment requires advanced configuration that is outside the scope of this guide. For configuration
steps, see the Forcepoint Next Generation Firewall Product Guide.
|
|
| IPS | Inline | The traffic flows through the IPS engine. The IPS engine has full control over the traffic flow and can automatically block any traffic. An inline IPS engine can also enforce block listing commands from other components. Fail-open network cards can ensure that traffic flow is not disrupted when the IPS engine is offline. An inline IPS engine also provides access control and logging for any Ethernet traffic (layer 2). |
| Capture | External equipment duplicates the traffic flow for inspection, and the IPS engine passively monitors traffic. The IPS engine does not have direct control over the traffic flow, but it can respond to selected threats by sending packets that reset the connections. An IDS-only IPS engine can send block listing requests to other IPS engines, Layer 2 Firewalls, or Firewalls, but it cannot enforce block listing requests from other components. | |
| Layer 2 Firewall | Inline | The traffic flows through the Layer 2 Firewall. The Layer 2 Firewall has full control over the traffic flow and can automatically block any traffic. An inline Layer 2 Firewall can also enforce block listing commands received from other components. An inline Layer 2 Firewall also provides access control and logging for any Ethernet traffic (layer 2). |
| Capture (Passive Firewall) |
In a Capture (Passive Firewall) installation, external equipment duplicates the traffic flow for inspection to the Layer 2 Firewall, and the Layer 2 Firewall passively monitors traffic. The Layer 2 Firewall does not have direct control over the traffic flow, but it can respond to selected threats by sending packets that reset the connections. A Layer 2 Firewall in Passive Firewall mode can send block listing requests to other Layer 2 Firewalls, IPS engines, or Firewalls. It cannot enforce block listing requests from other components. |
|
| Passive Inline | In a Passive Inline installation, the traffic flows through the Layer 2 Firewall, but the Layer 2 Firewall only logs connections. A Layer 2 Firewall in Passive inline mode can send block listing requests to other Layer 2 Firewalls, IPS engines, or Firewalls. It cannot enforce block listing requests from other components. |
There are two ways to connect Capture Interfaces on Firewalls, IPS engines, and Layer 2 Firewalls to your networks to capture network traffic.
| Option | Description |
|---|---|
| Switched Port Analyzer (SPAN) port | A SPAN port captures network traffic to a defined port on an external switch. This action is also known as port mirroring. The capturing is passive, so it does not interfere with the traffic. All traffic to be monitored must be copied to this SPAN port. |
| Network Test Access Port (TAP) | A network TAP is a passive device at the network wire between network devices. The capturing is done passively, so it does not interfere with the traffic. With a network TAP, the two directions of the network traffic are divided to separate wires. For this reason, the IPS engine or Layer 2 Firewall needs two capture interfaces for a network TAP; one capture interface for each direction of the traffic. The two related capture interfaces must have the same logical interface that combines the traffic of these two interfaces for inspection. You could also use the pair of capture interfaces to monitor traffic in two separate network devices. |