Symantec 10268947 User Guide - Page 33

Architecture 33 About management and detection architecture In blocking mode, all network traffic is examined by the Network Security detection software before it enters your network, and is blocked if malicious. When a protocol anomaly event or an event matching an enabled signature is detected, the offending packet is dropped. For TCP/IP traffic, a reset is sent to the TCP connection. In alerting mode, the Network Security detection software still analyzes all packets as they enter your network, but does not prevent an intrusion attempt from proceeding. You can configure a non-blocking protection policy to send a reset and an alert, based on event ID. With only alerting enabled under in-line mode, there is no risk of inadvertently blocking legitimate network traffic. The advantage of in-line alerting mode over operating in passive mode is that you can enable blocking with a single mouse-click from the Network Security console. You don't need to halt network traffic while changing cabling and configuration to switch between in-line alerting and blocking modes. About fail-open When you configure in-line mode on the Symantec Network Security 7100 Series appliance, you place the in-line interface pair directly into the network path. If the appliance or one of those interfaces has a hardware or software failure, all associated network traffic is blocked. You can avoid this risk with the addition of the 2 In-line Bypass unit or 4 In-line Bypass unit, custom fail-open devices available from Symantec specifically for the appliance. These devices provide the fail-open capability, allowing your network to stay up while you make repairs. At this time, the bypass units are only available for copper interfaces. There is currently no fail-open solution for the fiber interfaces of the appliance model 7161.