Policy Profile Options
This section describes a few of the options for the policy profile. Refer to the following:
| • | Inline SSL Decryption Port Map |
| • | Enable or Disable Tool Bypass |
| • | High Availability Active Standby |
| • | Inline Network Group Multiple Entry |
Inline SSL Decryption Port Map
The TCP destination port for decrypted traffic sent to inline tools can be configured as part of the profile.
Following are the two priorities that GigaSMART uses to decide on the TCP port number used for decrypted traffic:
| • | Priority 1—This is a port map, which is user configurable. You can specify both the In Port and the Out Port. The In Port is the TCP destination port from a client. The Out Port is the TCP port used to send traffic to inline tools. |
| • | Priority 2—This is a default Out Port. This TCP port will be used if the incoming port does not match those specified in Priority 1. |
Enable or Disable Tool Bypass
Tool bypass can be enabled or disabled for the following types of traffic:
| • | SSL decrypted traffic |
| • | non-decrypted SSL traffic (non-SSL TCP) |
| • | non-SSL traffic (non-TCP) |
By default, tool bypass is disabled on these traffic types, meaning that all decrypted SSL, non-decrypted SSL, and non-SSL traffic is sent to the tools. When tool bypass is enabled on a specified traffic type, that traffic is not sent to the tools.
High Availability Active Standby
Starting in software version 5.2, inline network high availability active standby is supported. When enabled, link switchover by an upstream device in active/standby scenario is detected.
For example, when there is an inline SSL network group topology with two network port pairs (Na1, Nb1 and Na2, Nb2), the incoming traffic from one network (for example, Na1) may change to another network (for example, Na2) due to upstream devices, such as firewalls performing high availability active standby failover. If an upstream device fails over, GigaSMART will forward traffic to the correct inline network.
The default is disabled.
Note: Do not enable this option if the inline SSL network group links are in an active/active scenario.
Inline Network Group Multiple Entry
An inline network group topology can have multiple network port pairs (for example, Na1, Nb1 and Na2, Nb2). With multiple network port pairs, traffic from a network interface might traverse GigaSMART multiple times. Intercepted traffic from GigaSMART might reenter GigaSMART through a different network interface within the same network group as shown in Figure 1: Inline SSL Inline Network Group Configuration.
| Figure 80 | Inline SSL Inline Network Group Configuration |
When the inline SSL GigaSMART sits between internal devices and the upstream router, traffic from the devices to the Internet will be intercepted by GigaSMART. When internal devices belonging to different network port pairs within the same inline network group communicate with each other, traffic initiated from a device will be intercepted by GigaSMART and sent to the upstream router. This traffic will be routed back to GigaSMART from a different network port pair to reach the destination device.
Starting in software version 5.3, the same traffic sent from GigaSMART can reenter GigaSMART.
GigaSMART remembers the inline incoming inline network interface (for example, Na1) for each connection. When traffic from the same connection reaches GigaSMART with a different inline network interface within the same network group (for example, Na2), GigaSMART will forward the traffic to the corresponding opposite network interface (for example, Nb2), without further processing. This allows traffic from the same connection to reenter GigaSMART. GigaSMART will detect it and start forwarding traffic to the new network port pair.
However, the same traffic sent by GigaSMART reentering through the same network port pair (for example, Nb2, Na2) is not supported.
Other than the use case described above, any connection with traffic passing through GigaSMART involving more than the original network pair is not supported. If the first packet of a connection comes in through Na1, all traffic has to enter GigaSMART through the network port pair, Na1, Nb1.
You can enable or disable the inline network group multiple entry for the profile. The default is disabled.
Document INFORMATION 
