Bypassing a network interface in Windows, Linux and Unix

Product / Version includes:

Deep Security20.0 , Deep Security11.0 , Deep Security12.0 , Cloud One - Endpoint and Workload SecurityAll

Last updated: 2024/05/23

Solution ID: KA-0011061

Category: Configure

Summary

You may bypass network security scan on a dedicated NIC if the NIC is being used for cluster traffic for example. Note that only the dedicated NIC used for cluster can be bypassed. You should never bypass NIC with traffic for production. The purpose of the modification is to avoid cluster node evictions or data replication performance issues where the clustering application (e.g. Oracle RAC DB) is highly sensitive to the packet latency impact of Deep Security Firewall or Intrusion Protection/Detection features.

Traffic on the bypassed interfaces will not be inspected, firewalled or protected in any way. For this reason, it is very important to ensure that only cluster infrastructure traffic (e.g. cluster internode communication, node health checks, or data replication) is running on the interface(s) to be bypassed.

Only bypass cluster-private network interfaces. Do not bypass interfaces carrying production traffic or interfaces which are open to public or the Internet.

To bypass dedicated network interface, follow the steps below depending on your environment:

For instructions on AIX or Oracle Linux RAC, please visit KB article on Bypassing dedicated network interface in AIX or Oracle Linux RAC DB cluster environment.

Solaris

Create a file under /etc directory named "ds_filter.conf".
Open the /etc/ds_filter.conf file.
Add the MAC addresses of all NICs used for cluster private communication to the first line of the file, as follows:
MAC_EXCLUSIVE_LIST=XX:XX:XX:XX:XX,XX:XX:XX:XX:XX
Save and wait for 60 seconds for the changes to take effect.

In the /etc/ds_filter.conf file:

The MAC_EXCLUSIVE_LIST line must be the first line in the file.
All letters in MAC address must be uppercase.
Leading zeros in each byte must be included.
Below are examples:
Valid MAC_EXCLUSIVE_LIST:

MAC_EXCLUSIVE_LIST=0B:3A:12:F8:32:5E
MAC_EXCLUSIVE_LIST=0B:3A:12:F8:32:5E,6A:23:F0:0F:AB:34

Invalid MAC_EXCLUSIVE_LIST:

MAC_EXCLUSIVE_LIST=B:3A:12:F8:32:5E
MAC_EXCLUSIVE_LIST=0b:3a:12:F8:32:5e,6a:23:F0:0F:ab:34
MAC_EXCLUSIVE_LIST=0B:3A:12:F8:32:5E
If the MAC address is not valid, the interface will not be bypassed.
If the exact string "MAC_EXCLUSIVE_LIST=" is not present at the beginning of the line no interfaces will be bypassed.

Linux

State 01: For Deep Security Agent version earlier than version 20.00-877 (GM build) and not included in State 03

Modify setParameters() in the file /etc/init.d/ds_filter.
Restart the Deep Security Agent Service for the changes to take effect.

State 02: For Deep Security Agent version 20.00-877 (GM build) or higher versions not included in State 03:

Modify setParameters() in the file /opt/ds_agent/Linux.init.
Restart the Deep Security Agent Service for the changes to take effect.

State 03: For the following version of Deep Security Agent:

Version	Release Version
DS 11.0	DSA 11.0.0-2197 or higher
DS 12.0	DSA 12.0.0-2072 or higher
DS 20.0	DSA 20.0.0-3288 or higher

Create a file under /etc directory, with the name "ds_filter.conf"
Fill in the interface name with the following format
- INTERFACE_BYPASS_LIST=<interface name>
- Here is a quick one liner:
```
# echo INTERFACE_BYPASS_LIST=eth0 > /etc/ds_filter.conf
```

Restart the Deep Security Agent Service for the changes to take effect

Windows

Go to the Network Interface Card properties.
Uncheck “Trend Micro Lightweight Filter Driver” then click OK.

Was this article helpful?

Featured

Automation Center

Education Portal

Online Help Center

Service Status

TrendConnect

Bypassing a network interface in Windows, Linux and Unix

Bypassing a network interface in Windows, Linux and Unix

Product / Version includes:

Summary