Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

Navigation
Guide That Contains This Content
[+] Expand All
[-] Collapse All

    Example: Using Simulation Mode to Maximize Uptime

    The primary use case for simulation mode is for evaluating whether to adopt the IDP Series device as the intrusion prevention device for your network. You might also find simulation mode useful after you adopt the IDP Series as your IDP solution when you want to maximize network availability while you tune a security policy update or troubleshoot traffic outages when IDP processing results in crashes.

    Suppose you discover that the device is dropping traffic and that early indicators suggest a likely false positive and that the traffic probably can be trusted. This situation might happen, for example, after an attack object database update when new attack signatures are added to a dynamic attack group that is specified in your IDP rulebase rules.

    In cases like this, your choices are:

    • Continue to drop traffic while you investigate.
    • Change the rule action to allow traffic while you investigate. This requires you to reload the security policy with the changed rule action.
    • Shut down the IDP Series device while you investigate. If you enable internal bypass, traffic passes through the device.
    • Use simulation mode.

    In cases like this, simulation mode is a good choice if you are an experienced IDP security administrator who suspects a false positive and are inclined to maximize uptime while you investigate. If you later conclude that it is not a false positive, you can disable simulation mode and return to active management without having to reload the security policy. You can use the logs collected during simulation mode to follow up on any subsequent security actions to take. If, on the other hand, your investigation confirms your hunch that it is a false positive, you can make iterations of modifications to your policy, load the changed policy, and observe the results. When you are satisfied with the results, you can disable simulation mode.

    Simulation mode is not a good choice if you are not an experienced IDP security administrator or when you suspect a critical security risk. In these cases, we recommend that you continue to drop traffic while you investigate.

    You might also switch to simulation mode on your live network when you are troubleshooting traffic outages due to IDP processing crashes. Before the IDP Series supported simulation mode, your customer support representative might have advised you to deploy the device in sniffer mode while you were waiting for a detector engine update or service patch to resolve the root cause of a crash. With IDP OS Release 5.1 and later, simulation mode is a good choice if you want to leave the device physically in path (you do not want to reconfigure and reconnect your traffic interfaces as required for the out-of-path, sniffer mode deployment). However, in these situations, sniffer mode is a better choice if you want the device to send TCP resets to close connections when a security policy rule matches.


    Published: 2011-02-08