How copy port works with FTA or FTN

Products

SSL Visibility Appliance Software

Issue/Introduction

Environment

Release : 4.5.6.1

Resolution

Copy ports send traffic to one or more passive security devices. Copy ports are optional and used only for attached passive devices.

The SSL visibility appliance supports the ability to send a copy of all traffic in clear text to analytic devices. Up to as many as four passive devices per segment can be configured to monitor and report on network traffic. Using this example, the use case location which has an active inline NG Firewall and a passive Data Loss Protection (DLP) monitoring traffic. All traffic must be in plain-text when it is sent to the security devices for analysis. Inline active traffic is re-encrypted as it goes back on the wire. There are many options available depending on the number of passive devices and throughput requirements.

Looking at the network topology above, the area in gray has been completed thus far. The main path of traffic has been configured and the active security device is ready to receive all traffic. This topic will only focus on the passive security device requirements and the configuration of copy ports. To complete the activation of this segment, the copy ports must be defined. In this deployment, a single a passive security device is being used to monitor all traffic with one interface. It must receive a copy of all encrypted and non-encrypted traffic served by the inline SSLV.

For the prerequisites/options and more details, please refer to the detailed guidance provided in the Tech. doc. with URL below.

https://techdocs.broadcom.com/us/en/symantec-security-software/web-and-network-security/ssl-visibility/5-2/sslv_overview/UI_Overview/policies_menu/segments/segments_sg/segments_sg_copy_ports.html

Note:

SSLV VA maintains a “software bypass capability” that allows for “bypass-to-network” or “bypass-to-application” on any segment (independent of the FTA or FTN config). So for example, if there is a FTA segment, the SSLV VA can still do a “bypass-to-network” and completely take the application out of the flow of traffic. This is intended for use as a debug tool logically removing the SSLV VA from the network.

On whether the change can result in the interruption of customer traffic, the recommendation is always to make the change not when there is user traffic nor during peak traffic. We recommend to test out the change with minimal, non-critical user traffic, confirm the success of the change, before passing production traffic.