Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Simulation Mode Overview

    Simulation mode is not a deployment mode, but rather an operational mode. The following sections give an overview of simulation mode:

    Topology

    The purpose of simulation mode is to enable you to evaluate expected results when you deploy the IDP Series device in transparent mode or sniffer mode. Therefore, in your network topology, you install and connect the IDP Series device where you intend to deploy it in transparent (in-path) or sniffer mode (out-of-path).

    Purpose

    You operate an IDP Series device in simulation mode in the following situations:

    • When you first deploy the IDP Series device in your network and you want to evaluate the security actions it takes without disrupting traffic.
    • When you implement a new feature or change a security policy and you want to evaluate the impact without disrupting traffic.
    • As a workaround to avoid traffic outages when IDP processing is resulting in crashes and other failures.

    In simulation mode, when the IDP Series device receives a packet, it makes a copy. It transmits the original packet uninspected through the egress interface and enqueues the duplicate packet into the JNET driver receive queue to be processed by the IDP engine. The IDP engine inspects the traffic against your security policy rules and implicit rules, and it generates logs when rules match. The IDP engine then drops the copy of the packet. Figure 1 illustrates packet processing in simulation mode.

    Figure 1: Packet Processing in Simulation Mode

    Image g036654.gif

    Note: Because of packet queueing, when simulation mode is turned on, a few packets that are queued for processing and forwarding might be dropped. This results in retransmission depending on Layer 4 or Layer 7 behavior. When simulation mode is turned off, a few duplicate packets might be forwarded.

    Configuration Overview

    You use the CLI to enable or disable simulation mode. Simulation mode is disabled by default. You do not need to restart the IDP engine (idp.sh) or push a policy to enable or disable simulation mode.

    Logging

    In logs, the string [Simulation Mode] appears in the Details column, along with the details of the event. Figure 2 shows a simulation mode log in the NSM log viewer. You can use NSM log and report filters to create log views and reports that filter for (or filter out) simulation mode logs.

    Figure 2: NSM Log Viewer: Simulation Mode Logs

    Image s036792.gif

    Published: 2011-02-08