Documentation Search
Simulation Mode Overview
Simulation mode is not a deployment mode, but rather an operational mode. The following sections give an overview of simulation mode:
Topology
The purpose of simulation mode is to enable you to evaluate expected results when you deploy the IDP Series device in transparent mode or sniffer mode. Therefore, in your network topology, you install and connect the IDP Series device where you intend to deploy it in transparent (in-path) or sniffer mode (out-of-path).
Purpose
You operate an IDP Series device in simulation mode in the following situations:
- When you first deploy the IDP Series device in your network and you want to evaluate the security actions it takes without disrupting traffic.
- When you implement a new feature or change a security policy and you want to evaluate the impact without disrupting traffic.
- As a workaround to avoid traffic outages when IDP processing is resulting in crashes and other failures.
In simulation mode, when the IDP Series device receives a packet, it makes a copy. It transmits the original packet uninspected through the egress interface and enqueues the duplicate packet into the JNET driver receive queue to be processed by the IDP engine. The IDP engine inspects the traffic against your security policy rules and implicit rules, and it generates logs when rules match. The IDP engine then drops the copy of the packet. Figure 1 illustrates packet processing in simulation mode.
Figure 1: Packet Processing in Simulation Mode
 | Note: Because of packet queueing, when simulation mode is turned on, a few packets that are queued for processing and forwarding might be dropped. This results in retransmission depending on Layer 4 or Layer 7 behavior. When simulation mode is turned off, a few duplicate packets might be forwarded. |
Configuration Overview
You use the CLI to enable or disable simulation mode. Simulation mode is disabled by default. You do not need to restart the IDP engine (idp.sh) or push a policy to enable or disable simulation mode.
Logging
In logs, the string [Simulation Mode] appears in the Details column, along with the details of the event. Figure 2 shows a simulation mode log in the NSM log viewer. You can use NSM log and report filters to create log views and reports that filter for (or filter out) simulation mode logs.
Figure 2: NSM Log Viewer: Simulation Mode Logs
