I've got a 5.x sensor sitting on the public side of the network. The first two interfaces are paired and assigned to the virtual sensor (vs0). On the "inside" interface 0 is my firewall and proxy servers. On the "outside" interface 1 is my Internet router.
The firewall has a dmz interface to a switch. I have a web server in there. Here I have my 2nd pair. Dmz interface to interface 2, then interface 3 to the switch. This pair is also assigned to the virtual sensor (vs0).
Everything was working great, but then I realized that I could not get to the web server from my proxy server. I took the dmz pair out of vs0, and still couldn't. But if I put the sensor into bypass mode, then I can access my web server fine.
Both the proxy server and the sensor are using my Interner router as the default gateway. My thoughts are that routing is being affected by the sensor sitting in the middle. Maybe the proxy is sending traffic through the sensor to the router, the router is sending back, and repeat. I can't find any indication in the sensor's Event Viewer that a signature is blocking this.
All sensor ports run in Layer-2 mode, and the box itself does not have any capability to influence routing. All it does is to filter/inspect traffic content.
If traffic from Proxysvr to the Websvr is routed/bounced back by router to the DMZ segment, then this might trigger certain rules/signatures.
There are certain signatures that by default, will deny traffic from passing through. This is probably why when you set it to bypass (no inspection) mode, the traffic can flow freely. The bypass mode is used to ensure packets can continue to flow through when the sensor's processes are temporarily stopped for upgrades or when the sensor's monitoring processes fail.
You don't mention whether NAT is being used on the firewall. If not, your proxy server should probably have a static route to the DMZ network. Otherwise, it will attempt to route packets through the Internet router...which should result in an ICMP redirect. Or the Internet router could also just route the packet, which means the IPS will see the packet twice. I suppose any of these could be getting denied by the IPS. If this is the case, you're focusing on the wrong inline pair and that would explain why changes to the other don't have any effect.
If you ARE using NAT, then your right to focus on the "dmz" inline pair. I can't imagine why it would deny the connection, but you could try disabling the normalizer engine signatures as I've heard that they will drop traffic without any sort of notification.
Yes, I believe the DMZ is using NAT. But this setup was working on a single switch prior to the sensor bridging two switches. I actually am focusing on the main inline pair, not the pair used for the dmz. Quick troubleshooting showed that the dmz pair has no effect.
At this point what I'm doing is adding static routes from the proxy servers to the dmz firewall interface so it doesn't go through the sensor twice. I was wondering if there were signatures that blocked traffic without generating events - and since you mentioned Normalizer, I can see why a sensor wouldn't normally allow this kind of traffic.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...