In Wire mode. if a packet reaches the gateway from a trusted source and is destined to a
trusted destination, will the firewall do stateful inspection?
A.
No, but IPS inspection will still be enforced.
B.
Yes, the Firewall always performs stateful inspection.
C.
Yes, but only if SecureXL is disabled.
D.
No
D is correct
Overview of Wire Mode
Wire Mode improves connectivity by allowing existing connections to fail over successfully by bypassing firewall enforcement. Traffic within a VPN community is, by definition, private and secure. In many cases, the firewall and the rule on the firewall concerning VPN connections is unnecessary. Using Wire Mode, the firewall can be bypassed for VPN connections by defining internal interfaces and communities as “trusted”.
When a packet reaches a Security Gateway, the Security Gateway asks itself two questions regarding the packet(s):
Is this information coming from a “trusted” source?
Is this information going to a “trusted” destination?
If the answer to both questions is yes, and the VPN Community to which both Security Gateways belong is designated as “Wire Mode enabled,” stateful inspection is not enforced and the traffic between the trusted interfaces bypasses the firewall. Since no stateful inspection takes place, no packets can be discarded. The VPN connection is no different from any other connection along a dedicated wire. This is the meaning of “Wire Mode.” Since stateful inspection no longer takes place, dynamic routing protocols (which do not survive state verification in non-wire mode configuration) can now be deployed. Wire Mode thus facilitates Route Based VPN. For information on Route Based VPN, see Route Based VPN (on page 65).