TMS zl Management and Configuration Guide ST.1.2.100916

3-4

Initial Setup in Monitor Mode

Overview

This chapter provides instructions for the initial setup in monitor mode. At

this point, you should have decided which operating mode you want to use.

(See “Operating Modes” in Chapter 1: “Overview.”) You have chosen monitor

mode because you want to take advantage of these intrusion detection system

(IDS) feature:

■ Passive monitoring of threats inside your network (but not automatically

preventing or blocking them)

■ Monitoring traffic that is remotely mirrored to the TMS zl Module for

threats and intrusion attempts

■ Monitoring traffic without deploying an inline appliance in a high-band-

width network, such as a research and development laboratory

Note A TMS zl Module can run in one operating mode only. If you switch from one

operating mode to another, the module will revert to the factory defaults for

the new mode, or it will revert to any settings that you may have configured

previously for that mode.

Monitor Mode

In monitor mode, the TMS zl Module monitors traffic passively, and you are

alerted to intrusions through a log mechanism. You can also configure the

module to forward log messages in a variety of ways, including SNMP traps

to an external IPS.

Figure3-1 shows the logical functionality of the TMS zl Module in monitor

mode. The TMS zl Module is not in the path of the traffic; instead, it receives

a mirrored copy of the traffic. The HP 5400zl or 8200zl Switch Series that hosts

the TMS zl Module uses the module’s data port as the mirror destination for

local and remote mirroring. Any ProVision ASIC switch capable of remote

mirroring can also mirror traffic to the TMS zl Module.