92 Rockwell Automation Publication 1783-UM010C-EN-P - June 2019
Chapter 8 Firewall Modes
Figure 22 - Traffic Flow under Passive (Monitor Only) Mode
The Stratix® 5950 Security Appliance runs with these defaults:
• ASA in Transparent Mode
• SFR configured to be inline Passive mode with No Drop Actions (not in
SPAN/TAP/Passive Mode)
Industrial Firewall
Deployment Considerations
The IFW can be deployed in various modes, depending on the level of desired
policy enforcement and risk tolerance. It is possible to place it in an inline or
passive location in the network. When located inline, the IFW is inserted into
the network segment and can operate in two modes: transparent or routed.
When in a passive location, the IFW is separate from the network segment and
only receives a copy of the traffic. The following sections provide details and
considerations for each supported deployment mode of the IFW.
Inline Transparent Mode
The IFW operates in transparent mode by default. In transparent mode, the
IFW acts like a ‘bump in the wire,’ and is not considered a router hop (connects
to the same network on its inside and outside interfaces). There can be two
variations of this deployment.
In an inline deployment, the actual traffic is sent to the IFW FirePOWER
module, whose policy affects what happens to the traffic. After dropping
TIP Only use the Smartport `multiport automation device’ for any inline installs.
To Next Page
Loading...