Views:

Inspection Bypass – TippingPoint TPS (Threat Protection System) Devices

Overview

Inspection Bypass is a feature on TippingPoint TPS devices that routes specific, user-defined traffic through the IPS without inspection. This capability is ideal for traffic that is latency-sensitive, trusted, encrypted, or operational in nature. Inspection Bypass operates at the BCM (switch) level, introducing virtually zero latency, and takes effect immediately once configured.

Supported Platforms & Limitations

Inspection Bypass is:

✅ Supported only on hardware TippingPoint TPS devices

❌ Not supported on vTPS devices

📝 Limited to 32 rules per TPS device (legacy IPS devices support a maximum of 8 rules)

Key Benefit: Because inspection bypass occurs before traffic reaches the TPS inspection engine, bypassed traffic does not count against the throughput license, providing significant cost management benefits.

Inspection Bypass vs. Traffic Management Filters (TMFs)

	Inspection Bypass	Traffic Management Filters
Processing Location	Switch-level (BCM)	Engine-level
Latency Impact	Virtually none, regardless of load	Can increase latency under high load or attack
License Consumption	✅ No impact on inspection bandwidth license	❌ Consumes licensed bandwidth
Flexibility	Less granular	Highly granular and configurable
Number of Rules Needed	1 rule covers both directions	2–4 rules may be required
Configuration Scope	Device-based	Profile-based
Activation	Immediate (no profile distribution)	Requires profile distribution

Advantages of Inspection Bypass

⚡ Minimal latency – Switch-level processing ensures virtually zero latency

💰 No license bandwidth consumption – Bypassed traffic doesn't count against throughput limits

🚀 Immediate effect upon creation – Changes activate immediately without profile distribution

📋 Simpler bidirectional handling – Single rule covers both directions

Limitations

❌ Not supported on vTPS devices

📉 Legacy devices have reduced rule capacity (8 rules)

🎯 Limited flexibility compared to TMFs

⚠️ Requires careful rule design to avoid security gaps

Common Use Cases

Organizations typically use Inspection Bypass for:

1. Latency-Sensitive Traffic

Voice over IP (VoIP)

Real-time communications

2. Connectivity / Control Plane Traffic

VRRP

Other keepalive, routing, or heartbeat protocols

3. Non-Inspectable or Operational Traffic

VPN tunnels

Internal trusted traffic

SSL/TLS encrypted traffic (e.g., TCP/443)

Traffic where inspection is not feasible or beneficial

Configuration Overview

Inspection Bypass is device-based, meaning rules must be created directly on each TPS device that requires them. No profile redistribution is required—changes apply immediately.

Accessing Inspection Bypass

In TippingPoint SMS, navigate to: Devices → All Devices

Select a device that supports Inspection Bypass

Click Inspection Bypass

Click New to create a rule or Edit to modify an existing one

Creating or Editing an Inspection Bypass Rule

1. Name and Status

Enter a unique, descriptive name

Enable or disable the rule

Note: The name is stored in SMS only; it does not appear on the managed device

2. Select an Action

TippingPoint TPS devices support several actions:

Action	Description
Bypass (default)	Allows matching traffic to pass without inspection
Block	Drops matching traffic
Redirect	Sends traffic uninspected to a specified port
Ingress Mirror	Copies pre-inspection traffic to another port
Egress Mirror	Copies post-inspection traffic to another port

📝 Note: Mirror and Redirect actions require selecting a Target Port. Mirror actions support up to 4 MTP configurations.

3. Configure Traffic Criteria

Specify the matching conditions:

Ethernet Type: IP, Not IP, or protocol-specific

IP Protocol: TCP, UDP, or other

Source IP / Port: Specific IP, CIDR, or Any

Destination IP / Port: Specific IP, CIDR, or Any

Ports apply only for TCP/UDP

4. VLAN Match (Optional)

Leave blank to match all VLANs

Specify a VLAN tag or range when needed

By default, VLAN, MPLS, and tunneling checks are not performed

5. Segment Selection

Choose where the rule applies:

Select specific segments, or

Use Select All Segments (not recommended for Redirect/Mirror) *Please see Configuration Best Practices Section for additional details*

6. Complete the Wizard

Click Finish to save the rule.

Advanced Actions: Redirect and Mirroring

Redirect

Skips the inspection engine entirely

Sends traffic out a specified port uninspected

Common for service chaining or offloading traffic to another appliance

Ingress Mirror

Copies traffic before inspection

Useful for evaluating raw incoming packets

Egress Mirror

Copies traffic after inspection

Useful for validating inspection outcomes

VLAN tags are recorded in mirrored packets

💡 Troubleshooting Tip: Mirror both ingress and egress to separate ports to compare before/after inspection traffic.

Configuration Best Practices

1. Use Restrictive Criteria

Avoid broad CIDRs unless absolutely necessary

Overly wide bypass rules introduce security risk

2. Port Pairing for Redirect/Mirror

⚠️ Do not use "Select All Segments" with Redirect/Mirror

Can overload the target port

Can create traffic loops

Always configure one-to-one source-to-target port pairs

3. Port Speed Compatibility

Ensure the target port has equal or greater line speed than the source

4. Rule Count Management

TPS devices: 32 rules

Legacy IPS devices: 8 rules

Prioritize rules based on operational impact and business needs

Monitoring and Statistics

Viewing Rule Statistics

Each rule displays a packet counter showing how many packets match the rule.

Refresh or Clear Statistics

Buttons at the bottom right allow you to:

Refresh counters

Clear counters for troubleshooting and validation

Inspection Bypass Rule Display Fields

Property	Description
ID	Rule index
Enabled	Rule on/off status
Name	Unique name (SMS-only)
Ethernet Type	IP / Non-IP / Protocol-specific
IP Protocol	TCP, UDP, or other
Statistics	Packet match counter
Src IP / Src Port	Source matching criteria
Dst IP / Dst Port	Destination matching criteria
Action	Bypass, Block, Redirect, Mirror options
Target Port	Required for Redirect/Mirror actions

Summary Comparison

Aspect	Inspection Bypass	Traffic Management
Rules Required	1	2–4
Processing Level	Switch	Engine
Granularity	Medium	High
License Impact	No	Yes
Activation	Immediate	Requires distribution
Use Cases	VoIP, BGP, VPN, encrypted flows	Precise traffic control, rate-limiting

Getting Help

For advanced scenarios, complex rule interactions, or additional guidance, contact TippingPoint Technical Assistance or refer to the official TippingPoint TPS documentation for CLI-level details.

Keywords: inspection bypass, bypass rule, network inspection, TPS devices, TX Series, security policy, segment configuration, Ethernet type, VLAN tag, MPLS label, tunneling, traffic action

Creating or Editing an Inspection Bypass Rule

Product / Version includes:

TippingPoint Virtual SMS All , TippingPoint SMS All , TippingPoint TX-Series All , TippingPoint TXE-Series All

Last updated: 2025/11/21

Solution ID: KA-0021506

Category: Configure , Troubleshoot

Summary

Inspection bypass rules allow traffic that meets specific criteria to bypass inspection on supported devices. Before you create or edit an inspection bypass rule, ensure that a profile has been distributed to the segment.

Inspection Bypass – TippingPoint TPS (Threat Protection System) Devices

Overview

Supported Platforms & Limitations

Inspection Bypass is:

✅ Supported only on hardware TippingPoint TPS devices

❌ Not supported on vTPS devices

📝 Limited to 32 rules per TPS device (legacy IPS devices support a maximum of 8 rules)

Inspection Bypass vs. Traffic Management Filters (TMFs)

	Inspection Bypass	Traffic Management Filters
Processing Location	Switch-level (BCM)	Engine-level
Latency Impact	Virtually none, regardless of load	Can increase latency under high load or attack
License Consumption	✅ No impact on inspection bandwidth license	❌ Consumes licensed bandwidth
Flexibility	Less granular	Highly granular and configurable
Number of Rules Needed	1 rule covers both directions	2–4 rules may be required
Configuration Scope	Device-based	Profile-based
Activation	Immediate (no profile distribution)	Requires profile distribution

Advantages of Inspection Bypass

⚡ Minimal latency – Switch-level processing ensures virtually zero latency

💰 No license bandwidth consumption – Bypassed traffic doesn't count against throughput limits

🚀 Immediate effect upon creation – Changes activate immediately without profile distribution

📋 Simpler bidirectional handling – Single rule covers both directions

Limitations

❌ Not supported on vTPS devices

📉 Legacy devices have reduced rule capacity (8 rules)

🎯 Limited flexibility compared to TMFs

⚠️ Requires careful rule design to avoid security gaps

Common Use Cases

Organizations typically use Inspection Bypass for:

1. Latency-Sensitive Traffic

Voice over IP (VoIP)

Real-time communications

2. Connectivity / Control Plane Traffic

VRRP

Other keepalive, routing, or heartbeat protocols

3. Non-Inspectable or Operational Traffic

VPN tunnels

Internal trusted traffic

SSL/TLS encrypted traffic (e.g., TCP/443)

Traffic where inspection is not feasible or beneficial

Configuration Overview

Inspection Bypass is device-based, meaning rules must be created directly on each TPS device that requires them. No profile redistribution is required—changes apply immediately.

Accessing Inspection Bypass

In TippingPoint SMS, navigate to: Devices → All Devices

Select a device that supports Inspection Bypass

Click Inspection Bypass

Click New to create a rule or Edit to modify an existing one

Creating or Editing an Inspection Bypass Rule

1. Name and Status

Enter a unique, descriptive name

Enable or disable the rule

Note: The name is stored in SMS only; it does not appear on the managed device

2. Select an Action

TippingPoint TPS devices support several actions:

Action	Description
Bypass (default)	Allows matching traffic to pass without inspection
Block	Drops matching traffic
Redirect	Sends traffic uninspected to a specified port
Ingress Mirror	Copies pre-inspection traffic to another port
Egress Mirror	Copies post-inspection traffic to another port

📝 Note: Mirror and Redirect actions require selecting a Target Port. Mirror actions support up to 4 MTP configurations.

3. Configure Traffic Criteria

Specify the matching conditions:

Ethernet Type: IP, Not IP, or protocol-specific

IP Protocol: TCP, UDP, or other

Source IP / Port: Specific IP, CIDR, or Any

Destination IP / Port: Specific IP, CIDR, or Any

Ports apply only for TCP/UDP

4. VLAN Match (Optional)

Leave blank to match all VLANs

Specify a VLAN tag or range when needed

By default, VLAN, MPLS, and tunneling checks are not performed

5. Segment Selection

Choose where the rule applies:

Select specific segments, or

Use Select All Segments (not recommended for Redirect/Mirror) *Please see Configuration Best Practices Section for additional details*

6. Complete the Wizard

Click Finish to save the rule.

Advanced Actions: Redirect and Mirroring

Redirect

Skips the inspection engine entirely

Sends traffic out a specified port uninspected

Common for service chaining or offloading traffic to another appliance

Ingress Mirror

Copies traffic before inspection

Useful for evaluating raw incoming packets

Egress Mirror

Copies traffic after inspection

Useful for validating inspection outcomes

VLAN tags are recorded in mirrored packets

💡 Troubleshooting Tip: Mirror both ingress and egress to separate ports to compare before/after inspection traffic.

Configuration Best Practices

1. Use Restrictive Criteria

Avoid broad CIDRs unless absolutely necessary

Overly wide bypass rules introduce security risk

2. Port Pairing for Redirect/Mirror

⚠️ Do not use "Select All Segments" with Redirect/Mirror

Can overload the target port

Can create traffic loops

Always configure one-to-one source-to-target port pairs

3. Port Speed Compatibility

Ensure the target port has equal or greater line speed than the source

4. Rule Count Management

TPS devices: 32 rules

Legacy IPS devices: 8 rules

Prioritize rules based on operational impact and business needs

Monitoring and Statistics

Viewing Rule Statistics

Each rule displays a packet counter showing how many packets match the rule.

Refresh or Clear Statistics

Buttons at the bottom right allow you to:

Refresh counters

Clear counters for troubleshooting and validation

Inspection Bypass Rule Display Fields

Property	Description
ID	Rule index
Enabled	Rule on/off status
Name	Unique name (SMS-only)
Ethernet Type	IP / Non-IP / Protocol-specific
IP Protocol	TCP, UDP, or other
Statistics	Packet match counter
Src IP / Src Port	Source matching criteria
Dst IP / Dst Port	Destination matching criteria
Action	Bypass, Block, Redirect, Mirror options
Target Port	Required for Redirect/Mirror actions

Summary Comparison

Aspect	Inspection Bypass	Traffic Management
Rules Required	1	2–4
Processing Level	Switch	Engine
Granularity	Medium	High
License Impact	No	Yes
Activation	Immediate	Requires distribution
Use Cases	VoIP, BGP, VPN, encrypted flows	Precise traffic control, rate-limiting

Getting Help

For advanced scenarios, complex rule interactions, or additional guidance, contact TippingPoint Technical Assistance or refer to the official TippingPoint TPS documentation for CLI-level details.

Was this article helpful?