A. Do the Device and Copy Ports copy everything from the Network Interfaces or does it only copy the decrypted traffic?
B. Is it possible to copy only decrypted traffic to the attached appliance connected to the Copy Port?
Any security tool attached to an SSLV appliance will receive all the traffic that is flowing through the segment that the SSLV is a bump in the wire on. An Active or Passive security tool attached to SSLV will receive the following :
All non SSL traffic that passes through the SSLV appliance bump in the wire.
All SSL flows that SSLV policy determines should not be inspected. The attached security tool will see the full encrypted flow just as they would if they had been attached to a network tap or connected as an in-line device when SSLV was not present.
All SSL flows that SSLV policy determines should be inspected. The attached security tool will receive the TCP handshake followed by decrypted data, it will not see any of the SSL handshake. SSLV Copy ports feed passive security devices with all the traffic described above.
Note that if you run the packet capture utility, then it only captures packets that are sent over PCIe from the NFP flow processor to the X86 processing complex.
The only packets that the NFP sends to the X86 are:
packets that the NFP thinks are part of an SSL handshake.
packets on an SSL flow that policy has determined will be made visible, i.e. inspected.
Detection of SSL flows is done by the NFP so no TCP handshake packets or packets from non SSL flows are ever sent over PCIe to the X86.
Every time a new TCP flow begins, the NFP starts detecting SSL flows by watching to see if it can detect the Client Hello message that indicates the start of an SSL handshake. It will continue to watch the flow for 32 payload packets.
Description:Network port: - a network interface that is either part of the“ bump in the wire” or is connected to a network tap device.
Device port: - a network interface that is connected to the primary attached appliance that is dealing with inspected traffic from the SSL Visibility.
Copy port: - a network interface that is connected to a secondary passive appliance that is receiving a copy of the inspected traffic.
Aggregation port: - a network interface that is providing a connection to an additional network tap so that a segment can receive traffic from more than one network tap.
Imported Document ID: 000026612
Subscribing will provide email updates when this Article is updated. Login is required.
Thanks for your feedback. Let us know if you have additional comments below. (requires login)
Subscribed to the Article.
Unable to subscribe
Thanks for your additional feedback !!!
Enterprise Support Virtual Agent
Rate Me :
Tell us more:
Welcome! My name is Sami, the Enterprise Support Virtual Agent answering technical support questions.