Name | Give the profile a descriptive name. |
Description | Optionally describe the profile settings
or purpose. |
General Tab |
Security Chain Type | Select the type of security chain to which
the decrypted traffic is forwarded: Routed
(Layer 3): The devices in this type of security chain
use Layer 3 interfaces to connect to the security-chain network.
Each interface must have an assigned IP address and subnet mask.
You configure security-chain devices with static routes or use dynamic
routing to direct inbound and outbound traffic to the next device
in the security chain and back. Transparent Bridge: In a transparent-bridge
security-chain network, all security-chain devices have two Transparent
Bridge mode interfaces connected to the security-chain network.
Transparent Bridge interfaces do not have IP addresses, subnet masks,
default gateways, or local routing tables. Security-chain appliances
receive traffic on one interface, analyze the traffic and enforce
security, and then the traffic egresses the other interface to the
next security-chain device.
|
Enable IPv6 | (Transparent Bridge mode only) Enable IPv6
traffic forwarding. |
Flow Direction | Select whether traffic enters the security
chain from one interface and exits the security to the other interface,
or if traffic can enter and exit the security chain from both interfaces. Unidirectional—All traffic to the
security chain is forwarded through Interface #1 and
receives the traffic back from the security chain on Interface
#2.
Both interfaces must be in the same
zone. Bidirectional —The client-to-server
traffic to the security chain is forwarded through Interface
#1 and receives the traffic back from the security chain
on Interface #2. The server-to-client
traffic is forwarded to the security chain through Interface #2 and
receives the traffic back from the security chain on Interface #1.
The
flow direction you select depends on the type of appliances in the
security chain. For example, if a security chain has stateless devices
that can examine both sides of a session, you could choose a unidirectional
flow. |
Interface #1 | The Network Packet Broker
interfaces that is used to forward traffic to and receive traffic
from a security chain. You must configure each interface as a Network
Packet Broker interface, as described at the beginning of this help
topic. |
Interface #2 |
Security Chains Tab Configure
one or multiple (for load balancing or redundancy) Layer 3 security
chains on one pair of Network Packet Broker interfaces. For the Routed
(Layer 3) security chain type, you must configure at
least one security chain to specify where to forward traffic. For
multiple security chains, a switch or other device must handle the
routing between the firewall and the chains.
The options
on this tab are only available for Layer 3 (routed) security chains. |
Enable | Enable the security chain. |
Name | Give the security chain a descriptive name. |
First Device | Enter the IPv4 address of the
first and last devices in the security chain or define a new Address
Object to easily reference the device. |
Last Device |
Session Distribution Method | When forwarding to multiple Routed
(Layer 3) security chains, choose the method that is
used to distribute sessions among multiple security chains: IP
Modulo—The sessions are assigned based on the IP modulo
hash of the source and destination IP addresses. IP Hash—The sessions are assigned
based on the IP hash of the source and destination IP addresses
and port numbers. Round Robin—The sessions are allocated
evenly among security chains. Lowest Latency—More sessions are allocated
to the security chain with the lowest latency. For this method to
work as expected, you must also enable Latency Monitoring and HTTP
Monitoring on the Health Monitor tab.
|
Health Monitor Tab |
On Health Check Failure | When you enable health checks (Path
Monitoring, HTTP Monitoring,
or HTTP Monitoring Latency), you also decide
what happens if a chain (or all chains if there are multiple chains)
fails. If there are multiple chains and one or more chains fail
a health check but at least one chain is still healthy, the traffic
is distributed to the remaining chains based on the Session
Distribution Method. If all of the chains associated
with a pair of Network Packet Broker interfaces, you can: Bypass
Security Chain—The traffic is forwarded to its destination
instead of to the failed chain(s). The configured security profiles
and protections to the traffic are still applied. Block Session—The session are blocked.
|
Health Check Failed Condition | If you configure more than one health check
(you can configure all three health checks on a chain), configure
how a failure is defined: OR Condition—If
any selected health check fails, the On Health Check
Failure action occurs. AND Condition—If all of the selected
health checks fail, the On Health Check Failure action
occurs.
|
Path Monitoring | Enable path, HTTP latency,
or HTTP monitoring, or a combination of the three health checks
to identify when security chains experience a failure, and configure
the metrics that determine when a failure has occurred: Path
Monitoring—Checks device connectivity; set the ping
count, ping interval in seconds, and recovery hold time in seconds. HTTP Monitoring—Checks device availability
and response time; set the HTTP count and HTTP interval in seconds. HTTP Monitoring Latency—Checks device
processing speed and efficiency; set the maximum latency in milliseconds,
the latency duration in seconds, and log latency that exceeds the
duration. When you select HTTP Monitoring Latency, HTTP
Monitoring is automatically selected. Both must be selected
to enable latency monitoring.
|
Latency Monitoring |
HTTP Monitoring |
