Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2568
Views
0
Helpful
8
Replies

Firepower Threat Defense - brdige or inline?

Go to solution
Claudio_Lodigiani
Level 1
Level 1

‎11-03-2020 12:36 AM

Hi everyone
I need to inspect traffic flowing on a L2 segment of my network
I’m using a FTD 1010 with 6.5 software
I’m wondering if it’s best to use a bridge group or an inline set
I didn’t find any clear statement from Cisco about choosing between bridge or inline
Regards
Claudio

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marius Gunnerud
VIP
VIP
In response to Claudio_Lodigiani

‎11-03-2020 09:51 AM

My practical question is: should I use a bridge group or an inline set to inspect and secure traffic? I have a scenario where I'm forced to install the firewall without affecting Layer 2 topology (no Layer 3 firewall)

In this scenario you would want to install the firewall in transparent mode, which would use "bridge groups" as you have mentioned.  In transparent mode you will still be able to perform both LINA (ASA access lists, etc.) and Snort (IPS) functions.

--
Please remember to select a correct answer and rate helpful posts

View solution in original post

0 Helpful
8 Replies 8

Go to solution
Rob Ingram
VIP
VIP

‎11-03-2020 12:47 AM - edited ‎11-03-2020 12:54 AM

Hi @Claudio_Lodigiani 

Sounds like you want to use transparent mode. Read this reference for more information.

https://www.cisco.com/c/en/us/td/docs/security/firepower/640/configuration/guide/fpmc-config-guide-v64/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html#ID-2106-00000012

 

This  doc states - "Layer 2 connectivity is achieved by using a "bridge group" where you group together the inside and outside interfaces for a network,"

 

This guide provides information to create an inline set.

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html

 

HTH

0 Helpful

Go to solution
Claudio_Lodigiani
Level 1
Level 1
In response to Rob Ingram

‎11-03-2020 01:53 AM

Hi @Rob Ingram 

Thank you for the reply.

I’ve been studying the documentation since last month.
Now I re-read carefully the configuration guide and I got the point.
If I’m not wrong, in-line sets are IPS passive online interfaces and can not do some typical firewall checks and functionality
Bridge groups (available also in routed mode since 6.2) on the other end can be used to inspect L2 traffic and retain firewall checks

Am I right?

Claudio

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Claudio_Lodigiani

‎11-03-2020 04:39 AM

An inline set can either be passive (inline set with tap) as you say or it can also drop (inline set) depending on how you implement it.  With inline pair with tap only a copy of the traffic is sent to the FTD, while in inline set all traffic passes through the FTD and traffic can be dropped.

Bridge groups are used for firewalls in transparent mode and do not have anything to do with IPS.  You can configure bridge groups as well as have inline set configured at the same time.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP

‎11-03-2020 12:57 AM

The bridge group is used in Transparent mode to group 2 or more interfaces together and allow traffic to pass between those interfaces.

The inline set can be used in both routed and transparent mode, and defines ingress and egress interfaces that are to be used for IPS inspection.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Claudio_Lodigiani
Level 1
Level 1
In response to Marius Gunnerud

‎11-03-2020 08:32 AM

Hi Marius thank you for the reply

Bridge group can be used also in transparent mode since ver 6.2

My practical question is: should I use a bridge group or an inline set to inspect and secure traffic? I have a scenario where I'm forced to install the firewall without affecting Layer 2 topology (no Layer 3 firewall)

Bye

Claudio

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Claudio_Lodigiani

‎11-03-2020 09:26 AM

Are you talking about the integrated routing and bridging feature that was added in 6.2?

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

Go to solution
Claudio_Lodigiani
Level 1
Level 1
In response to Marius Gunnerud

‎11-04-2020 06:26 AM

yes, exactly 

0 Helpful

Go to solution
Marius Gunnerud
VIP
VIP
In response to Claudio_Lodigiani

‎11-03-2020 09:51 AM

My practical question is: should I use a bridge group or an inline set to inspect and secure traffic? I have a scenario where I'm forced to install the firewall without affecting Layer 2 topology (no Layer 3 firewall)

In this scenario you would want to install the firewall in transparent mode, which would use "bridge groups" as you have mentioned.  In transparent mode you will still be able to perform both LINA (ASA access lists, etc.) and Snort (IPS) functions.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card