Two key features in SonicOS Enhanced 5.8.1 regarding the mode of deployment of a SonicWALL firewall appliance are:

  • Wire Mode; a deployment option where the SonicWALL appliance can be inserted as a "Bump in the Wire".
  • Tap Mode; a deployment option for environments employing network taps, smart taps, port mirroring or SPAN ports to deliver packets to external devices for out-of-path inspection, analysis or collection.
The Wire and Tap Modes are supported in NSA E-Class Series and NSA Series (3500 and above).

Wire Mode

The Wire Mode is a simplified form of the Layer 2 Bridge Mode; it provides a least-intrusive way to deploy NGFW features in a network, the impact on the current network topology being minimum.

You can use this mode to deploy a SonicWALL NGFW behind an existing Stateful Packet Inspection (SPI) firewall to augment its features.

Wire Mode

A Wire Mode interface is typically configured as a bridge between a pair of the firewall's interfaces (e.g. X3 and X4) and does not use any IP address.

  • You select an interface (must belong to the LAN zone) and pair it with an unassigned interface.
  • The paired interfaces must be of the same type; e.g. two 1 GB interfaces or two 10 GB interfaces.

The Wired Mode has three settings:

  • Bypass Mode (via Internal Switch Relay); used for the quickest and least possible non-interruptive introduction of a SonicWALL firewall on the network. Using this setting, the SonicWALL appliance does not perform any inspection or firewalling; just simply passes the traffic between the paired interfaces using the internal switch. It was designed for your comfort of physically placing the new firewall on the network with minimum downtime and risk.
  • Inspect Mode (Passive DPI of Mirrored Traffic); extends the Bypass Mode by exposing the traffic to the DPI engine for passive inspection, classification, logging and flow reporting. You can use this mode to discover the SonicWALL appliance's application intelligence and threat detection capabilities; the firewall is a low-risk, zero-latency packet path.
  • Secure Mode (Active DPI of Inline Traffic); the progression of Inspect Mode, the SonicWALL appliance actively controls the traffic flow enabling the enforcement of the Application Intelligence and Control, Intrusion Prevention Service, Gateway and Cloud-based Anti-Virus, Anti-Spyware and Content Filtering. You can benefit from the deployment of a NGFW with a minimum impact on the current network layout.

Note: Varying on your appliance model you may have for Wired Mode four settings: Bypass Mode (via Internal Switch / Relay), Scan Mode (Wire-Speed Passive DPI), Inspect Mode (Throttled Passive DPI) and Secure Mode (Active DPI of Inline Traffic).

Tap Mode

The Tap Mode provides the same visibility as the Wired Mode using Inspect Mode but all the traffic received is never sent out of the firewall. Basically the firewall ingests mirrored packets via one of its interfaces being out-of-path.

Tap Mode
  • You select an interface that belongs to the LAN or DMZ zones.
  • You can use this mode as a mean of performing out-of-path traffic inspection, analysis and collection.

Comparing the features of Wire and Tap Modes

Feature

Bypass Mode

Inspect Mode

Secure Mode

Tap Mode

Application Visibility

No

Yes

Yes

Yes

Application Control

No

No

Yes

No

Content Filtering

No

No

Yes

No

DPI Detection

No

Yes

Yes

Yes

DPI Prevention

No

No

Yes

No

SPI

No

Yes

Yes

Yes

Limitations of Wire and Tap Modes

  • No ARP/Routing/NAT.
  • No Active/Active Clustering.
  • No DPI-SSL.
  • No Comprehensive Antiā€‘Spam Service.
  • No DHCP Server.
  • No TCP Handshake Enforcement; Wire Mode disables it by design to allow for failover events occurring elsewhere on the network to be supported, e.g. when multiple SonicWALL security appliance units are in use along redundant or asymmetric paths.
  • The SonicWALL firewall appliance's dedicated Management interface will be used for local management. To enable remote management and dynamic security services and application intelligence updates, a WAN interface (separate from the Wire-Mode interfaces) must be configured for Internet connectivity.

Conclusion

The Wired Mode enables you to augment existing firewalls by inserting in a least-intrusive manner a NGFW while the TAP mode allows you to perform traffic inspection and analysis using an out-of-path model.