Inspection Bypass vs. Traffic Management Filters on TippingPoint Devices
Executive Summary
This article provides guidance on the differences between Inspection Bypass and Traffic Management filters on TippingPoint devices. Both features help optimize network performance and traffic flow, with distinct purposes and operational levels.
Overview of Both Technologies
Inspection Bypass Rules
Enable configuration of rules allowing specific traffic to completely bypass the inspection engine. The traffic receives no security inspection and flows through without analysis.
Traffic Management Filters
Manually created, policy-based filters that give granular control over network traffic parameters. These filters can manage flow while maintaining some inspection.
Key Differences
| Feature | Inspection Bypass Rules | Traffic Management Filters |
|---|---|---|
| Primary Purpose | Complete bypass of inspection engine | Granular traffic control and policy enforcement |
| Security Inspection | None - traffic receives zero inspection | Can maintain inspection while managing flow |
| Performance Impact | Maximum performance benefit | Moderate performance benefit |
| Rule Limits | TPS devices: 32 rules IPS devices: 8 rules |
Medium-end: 8,000 filters High-end: 12,000 filters |
| Throughput Counting | Bypassed traffic does NOT count against inspection capacity | Traffic still counts against licensed bandwidth |
| Configuration Level | Device-specific (SMS Devices section) | Profile-based (SMS Inspection Profiles) |
| Flexibility | Limited to basic Layer 2-4 criteria | Extensive parameter control |
Technical Implementation
Inspection Bypass Rules
- Location in SMS: Devices → [Device Name] → Inspection Bypass
- Supported Criteria:
- Source/Destination IP addresses
- CIDR ranges
- VLAN tags
- Protocol types (TCP, UDP, ICMP, etc.)
- Custom Ethernet types (MPLS, MPLS multicast, etc.)
- Port numbers
- Available Actions:
- Bypass (default) - Completely bypasses inspection
- Block - Blocks the traffic
- Redirect - Redirects traffic to specific ports
- Ingress Mirror - Copies traffic before inspection
- Egress Mirror - Copies traffic after inspection
Traffic Management Filters
- Location in SMS: Profiles → Inspection Profiles → [Profile Name] → Traffic Management
- Supported Parameters:
- Source/Destination IP addresses
- Port ranges
- Protocol specifications
- Bandwidth management
- Rate limiting capabilities
- Custom access control policies
Use Case Guidelines
When to Use Inspection Bypass Rules
- Internal server-to-server communication (backup servers, database replication)
- Encrypted traffic that cannot be meaningfully inspected
- High-volume trusted traffic (scheduled backups, data synchronization)
- Performance-critical applications requiring minimal latency
- Known protocols like MPLS traffic
- Tunneled traffic (EoIP, PPPoE) that cannot be inspected by the device
- Database backup traffic between trusted internal servers
- MPLS provider traffic already secured
- Encrypted VPN tunnels between branch offices
- Large file transfers between trusted systems during maintenance
When to Use Traffic Management Filters
- Custom access control policies needing granular control
- Traffic prioritization and rate limiting
- When the inspection bypass rule limit is reached
- Balancing security and performance needs
- Complex traffic shaping requirements
- Policy-driven traffic control supporting automated threat detection
- Implementing QoS for various application types
- Rate limiting for user groups or departments
- Custom access policies for lab environments
- Managing bandwidth allocation for services
Best Practices and Decision Matrix
Decision Framework
Use Inspection Bypass when:
- Maximum performance improvement is critical
- Traffic cannot be inspected (encrypted/tunneled)
- Keeping within inspection capacity limits is required
- Security risk is acceptable for the traffic type
Use Traffic Management when:
- Granular control is needed with security oversight
- Inspection bypass rule limits have been reached
- Sophisticated policy-based management is required
- A balance of security and performance is essential
- Complex traffic shaping required
Implementation Best Practices
- Start Small: Begin with internal backup traffic
- Document Everything: Keep records of exclusions and reasons
- Regular Review: Reassess exceptions periodically
- Monitor Performance: Track throughput improvements
- Test Carefully: Validate rules on non-critical traffic first
Security Considerations
- Inspection Bypass: Bypassed traffic gets zero inspection
- Traffic Management: Maintains inspection while optimizing flow
- Network Segmentation: Bypass only between trusted segments
- Logging: Enable logging for audit and compliance
- When trusting or bypassing traffic, ensure traffic is fully trusted and sources are reliable
Conclusion
Inspection Bypass and Traffic Management filters are essential for network optimization with TippingPoint devices. Choose Inspection Bypass for fully trusted, performance-critical traffic and Traffic Management for granular, policy-driven control with security oversight.
Key Takeaway: Use Inspection Bypass for trusted traffic and performance, Traffic Management for policy control and balanced security.