Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

What is Symmetric vs. Asymmetric mode?

    • Updated:
    • Product/Version:
    • TippingPoint IPS N-series All
    • TippingPoint IPS NX-series All
    • TippingPoint IPS S-series All
    • TippingPoint TPS All
    • TippingPoint Virtual TPS All
    • Platform:
Summary

Asymmetric Network: An asymmetric network has multiple routes for incoming and outgoing network traffic. As such traffic takes a different route when entering or exiting the network.

Symmetric Network: A symmetric network has a single route for incoming and outgoing network traffic. As such traffic takes the same route when entering or the network.

Details
Public

It is very common for traffic to be asymmetrical in both Service Provider and larger Enterprise networks due to the nature of routing within a large, complex environment that has multiple entry and exit points. Since the bulk of the IPS filters are flow based (meaning state kept per flow versus per session), attacks are detected in either send or receive directions.

By default TippingPoint devices are shipped with Asymmetric mode enabled. This means that the device only sees one side of the TCP connection. When using Advanced Distributed Denial of Service (DDoS) protection filters, you must place the IPS device in a Symmetric network and you must disable Asymmetric mode. The device must be able to see both sides of the traffic flow.

Advanced DDoS

When using Advanced DDoS Protection filters, keep in mind the following:

  •  You must place the device in a Symmetric Network.
  •  You must disable Asymmetric Mode for the device.

DDoS filters - Infrastructure protection filters that detect DDoS attacks which flood a network with requests, including traditional SYN floods, DNS request floods against nameservers, and attempts to use protected systems as reflectors or amplifiers in attacks against third parties. Advanced Distributed Denial of Service (DDoS) filters enable you to create filters for detecting denial of service attacks.

Note: DDoS protection filters are enabled by enabling SYN Proxy and specifying the Threshold level in the Profiles area of the SMS. No other Advanced DDoS options on the SMS are available.

Premium
Internal
Rating:
Category:
Configure; Troubleshoot; Deploy
Solution Id:
TP000086251
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.