TTechclick ⚡ XP 0% All lessons
Cisco · Secure Firewall · deployment & interface modesInteractive · L1 / L2 / L3

FTD Deployment & Interface Modes — Routed, Transparent, Inline & Passive

FTD firewall mode is device-wide — routed (L3) or transparent (L2) — but each interface can also be inline, inline tap or passive for IPS. This lesson separates firewall mode from interface mode, shows when an interface can actually drop a packet versus only alert on it, covers ERSPAN and security zones, and gives you a clean rule for choosing a mode.

📅 2026-06-18 · ⏱ 15 min · 5 infographics · live packet demo · 🏷 10-Q assessment + AI Tutor inline

⚡ Quick Answer

A clear, interactive guide to Cisco Secure Firewall Threat Defense deployment and interface modes (2026): device-wide firewall mode (routed L3 vs transparent L2 bridging with a BVI), and the interface/IPS modes — inline pair (can drop), inline tap (copy, cannot drop the original), passive/SPAN (monitor only) and ERSPAN. Plus security zones and how to pick the right mode for evaluation, active blocking or insertion without re-IP.

🎯 By the end you will be able to

Read as:

Pick where you want to start

1

Firewall mode

Routed (L3) vs transparent (L2/BVI).

 2

Inline IPS

Inline pair vs inline tap — who can drop.

 3

Monitor-only

Passive/SPAN & ERSPAN.

 4

Choosing a mode

Pick a mode + security zones.

🧠 Warm-up — 3 questions, no score

Just notice which ones make you pause. We answer all three inside the lesson.

1. Which firewall mode is an L2 bump-in-the-wire using a BVI?

Answered in Firewall mode.

2. Which interface mode can actually DROP a malicious packet?

Answered in Inline IPS.

3. What does a passive/SPAN interface do with a threat?

Answered in Monitor-only.

Most engineers think…

Most people assume that if FTD 'sees' a malicious packet, it blocks it. That assumption is wrong often enough to fail an interview and to let a real attack through in production.

Whether FTD can drop a packet depends on the interface mode, not just the policy. An inline pair sits in the traffic path and can drop; an inline tap inspects a copy and can only alert; and passive/SPAN receives a mirror and never drops. On top of that sits device-wide firewall mode — routed or transparent. Knowing which mode can actually act on traffic is the difference between a firewall that protects and one that just watches.

① Firewall mode — routed vs transparent

The first choice is device-wide: an FTD runs in one firewall mode for the whole device. Routed mode is the default and the common case — the firewall is a routed L3 hop. Each interface has an IP address, and the device does routing, NAT and VPN. You point networks at it as a gateway.

Transparent mode makes the firewall an L2 bump-in-the-wire. It bridges between interfaces on the same subnet using a Bridge Virtual Interface (BVI), so you can drop it into an existing segment without re-IP-ing the network. The hosts keep their addresses and never know a firewall appeared between them.

The interview line: routed = an L3 gateway that routes/NATs/VPNs; transparent = an invisible L2 bridge (BVI) you insert without re-addressing. Firewall mode is per device, not per interface.

Figure 1 — Routed mode vs transparent mode
Firewall mode is device-wide: a routed L3 gateway, or an invisible L2 bridge you insert without re-IP.Routed mode vs transparent modeRouted (L3)Default firewall modeEach interface has an IPDoes routing, NAT, VPNActs as the network gatewayTransparent (L2)L2 bump-in-the-wireBridges via a BVIInsert without re-IPInvisible to hosts at L3
Firewall mode is device-wide: a routed L3 gateway, or an invisible L2 bridge you insert without re-IP.
Separate firewall mode from interface mode

In interviews, say it cleanly: firewall mode (routed or transparent) is set device-wide; interface mode (inline pair, inline tap, passive) is per interface and decides whether you can act on traffic. Conflating the two is the classic FTD slip — keep them in separate sentences.

Quick check · Q1 of 10 · Understand

Which firewall mode lets you insert FTD into an existing segment without re-IP-ing the hosts?

Correct: b. Transparent mode is an L2 bump-in-the-wire that bridges between interfaces via a BVI, so hosts keep their addresses. Routed mode is an L3 gateway; inline/passive are interface modes, not firewall modes.
👉 So far: Firewall mode is device-wide: routed = an L3 gateway (routing/NAT/VPN, the default); transparent = an L2 bridge via a BVI you insert without re-IP-ing the network.

② Inline IPS — inline pair vs inline tap

Once firewall mode is set, each interface gets an interface (IPS) mode that decides whether it can act. An inline pair places two interfaces directly in the traffic path; packets physically pass through FTD, so Snort can drop a malicious packet before it reaches the destination. This is true IPS — active blocking.

Why inline tap is different

An inline tap also sits in the path, but FTD inspects a copy and forwards the original regardless. It tells you what would have been blocked without risking the live traffic — perfect for tuning an IPS policy before you commit to dropping. The catch: inline tap cannot stop the attack; it only alerts.

The interview line: inline pair = in the path, can drop; inline tap = inspects a copy, alerts only. If the requirement is 'block it', you need an inline pair, not a tap.

Figure 2 — Inline pair — the drop path
In an inline pair the packet passes through FTD, so Snort can drop a threat before it reaches the destination.Inline pair — the drop pathIn (pair A)packet enters inlineSnort inspectNGIPS verdictMalicious?drop in the pathOut (pair B)clean traffic only
In an inline pair the packet passes through FTD, so Snort can drop a threat before it reaches the destination.
🧭
Routed vs transparent
tap to flip

Routed = an L3 gateway that does routing, NAT and VPN (the default). Transparent = an L2 bridge using a BVI that you insert without re-IP-ing the network.

✂️
Inline pair
tap to flip

Two interfaces in the traffic path — packets pass through FTD, so Snort can DROP a malicious packet. This is active IPS blocking.

📋
Inline tap
tap to flip

Inspects a copy while forwarding the original; tells you what would be blocked. Cannot drop — perfect for tuning before you go inline.

👁️
Passive / SPAN & ERSPAN
tap to flip

Receives a mirrored copy (SPAN locally, or GRE-encapsulated for ERSPAN). Monitor only — alerts on threats but never drops a packet.

▶ Watch an inline pair drop a malicious packet

How an inline IPS pair stops an attack in the path. Press Play for the healthy drop, then Break it to see why passive mode fails.

① Enters inlineA malicious packet enters the first interface of the inline pair — it must physically pass through FTD to continue.
② Snort inspectsBecause FTD is in the path, Snort deep-inspects the packet and its NGIPS rules flag it as a known exploit.
③ Drop in pathThe inline pair drops the malicious packet right there — it never reaches the second interface or the destination.
④ Server safeOnly clean traffic exits the pair; the protected server never receives the attack, and an intrusion event is logged.
Press Play to step through the healthy inline drop. Then press Break it.
Quick check · Q2 of 10 · Remember

Which interface mode can actually DROP a malicious packet?

Correct: a. Only an inline pair sits in the traffic path so packets pass through FTD and Snort can drop a threat. Inline tap inspects a copy (alert only) and passive/SPAN and ERSPAN are monitor-only.
👉 So far: Interface mode decides action: inline pair is in the path and CAN drop; inline tap inspects a copy and only alerts. To block, you need an inline pair.

③ Monitor-only — passive/SPAN & ERSPAN

Sometimes you only want visibility, with zero risk to traffic. In passive (SPAN) mode the FTD interface receives a mirrored copy of traffic from a switch SPAN/mirror port. FTD is not in the path: it can detect threats and raise events, but it can never drop a packet, because the real packet already went on its way.

ERSPAN is the same idea over distance: the mirrored traffic is encapsulated in GRE and sent to FTD across a routed network, so the monitoring sensor does not need to be cabled next to the source switch. It is still passive — alerts only, no dropping.

The interview line: passive/SPAN and ERSPAN are monitor-only — great for evaluation and visibility, but they alert and never block. If you must stop traffic, you cannot do it from a passive interface.

Figure 3 — The interface (IPS) mode types
Each interface mode differs in one thing: whether it can actually drop a packet.The interface (IPS) mode typesFTD interfacepick a modeInline pair (can drop)Inline tap (alert only)Passive / SPAN (monitor)ERSPAN (GRE monitor)
Each interface mode differs in one thing: whether it can actually drop a packet.
Figure 4 — Monitor-only path (passive/SPAN)
A passive interface sees a mirrored copy and can alert, but the real packet already passed — no drop possible.Monitor-only path (passive/SPAN)Switch SPAN/mirrorcopies traffic to FTDFTD passive interfacereceives the copy onlySnort inspects copydetects + raises an eventOriginal deliveredFTD not in path — cannot drop
A passive interface sees a mirrored copy and can alert, but the real packet already passed — no drop possible.
Expecting a passive interface to block

A very common production miss: an IPS in passive/SPAN mode raises beautiful alerts but never stops anything, because it only sees a copy. If the requirement is to actually block, a passive (or inline tap) interface cannot do it — you must move to an inline pair.

Quick check · Q3 of 10 · Understand

What is true of a passive/SPAN interface when it detects an attack?

Correct: c. A passive interface receives only a mirrored copy and is not in the path, so it can detect and raise events but cannot drop. The original packet has already been delivered.
👉 So far: Passive/SPAN and ERSPAN are monitor-only — they receive a mirrored copy (GRE for ERSPAN) and can alert but never drop, because FTD is not in the path.

④ Choosing a mode + security zones

Now put it together. Use passive/SPAN (or ERSPAN) when you want to evaluate FTD or gain visibility with no risk — a proof of concept, or watching a sensitive segment. Use an inline pair when you need to actively block. Use inline tap as the safe middle step to tune the IPS policy before going inline. Choose transparent firewall mode when you must insert the device into an existing segment without re-IP-ing; choose routed when the firewall should be the L3 gateway doing routing, NAT and VPN.

Security zones tie it together

Security zones group interfaces (for example inside, outside, dmz) so you write access control and IPS policy per zone rather than per physical port. That keeps policy readable and lets you move interfaces without rewriting rules.

The interview line: passive to watch, inline to block, transparent to insert without re-IP, routed to be the gateway — and zones to group interfaces for policy.

Figure 5 — Picking a mode by goal
Match the mode to the goal: watch, block, tune, or insert without re-addressing.Picking a mode by goalJust watchpassive / SPANTune IPSinline tapBlock liveinline pairInsert no re-IPtransparent mode
Match the mode to the goal: watch, block, tune, or insert without re-addressing.

Sneha at a Pune hospital faces this

FTD is clearly detecting a known exploit in its events, but the attack still reaches the server every time — the firewall sees it yet never stops it.

Likely cause

The monitoring interface was deployed in passive/SPAN mode, so FTD only receives a mirrored copy and can alert but cannot drop the original packet.

Diagnosis

Check the interface configuration: the interface is set to passive, not an inline pair, which is why intrusion events appear but no packet is ever dropped.

FMC ▸ Devices ▸ Interfaces ▸ interface mode ▸ Inline Sets
Fix

Re-cable and reconfigure the segment as an inline pair (an inline set) so traffic passes through FTD and Snort can drop the malicious packets, not just log them.

Verify

Re-test the exploit: the intrusion event now shows the packet was dropped (block action) and the server no longer receives the attack.

Prove the drop, do not assume it

Do not close a 'we blocked it' ticket on the alert alone. Open the intrusion event and confirm the action is Drop/Block, and that the interface is an inline pair. An alert in passive mode means the packet was delivered — verify the action, not just the detection.

Quick check · Q4 of 10 · Apply

You are running a no-risk proof of concept and only need to SEE what FTD would catch. Which mode fits?

Correct: d. Passive/SPAN gives visibility with zero risk to live traffic — perfect for evaluation. Inline pair would put you in the path and could drop; routed/transparent are firewall modes, not the evaluation choice here.
👉 So far: Pick by goal: passive to watch, inline tap to tune, inline pair to block, transparent to insert without re-IP. Security zones group interfaces so policy is written per zone.

🤖 Ask the AI Tutor

Tap any question — instant, scoped to this lesson. No login, no waiting.

Pre-curated from vendor docs + community Q&A, scoped to this lesson. For a live prod issue, paste your export into chat.techclick.in.

📝 Wrap-up assessment — six more

You've answered 4 inline. Six left. 70% (7 of 10) marks the lesson complete on your profile. Tap Submit all answers at the end.

Q5 · Remember

In transparent firewall mode, what logical interface gives the bridge group its IP and represents the bridged segment?

Correct: a. Transparent mode bridges interfaces at L2 and uses a Bridge Virtual Interface (BVI) for the bridge group. Inline pairs and SPAN/GRE relate to interface/monitoring modes, not transparent bridging.
Q6 · Understand

Which set of modes is monitor-only and cannot drop a packet?

Correct: c. Passive/SPAN and ERSPAN both receive a mirrored copy and are not in the traffic path, so they can alert but never drop. Inline pair can drop; routed/transparent are firewall modes.
Q7 · Apply

You must actively block a live attack at a segment. Which interface mode do you deploy?

Correct: b. Only an inline pair is in the traffic path, so FTD can drop the malicious packets. Inline tap and passive/SPAN/ERSPAN can detect and alert but cannot stop the original traffic.
Q8 · Analyze

FTD logs the exploit but it still reaches the server every time. What is the most likely cause?

Correct: c. Detection without a drop is the signature of a monitor-only deployment: a passive/SPAN interface (or inline tap) sees the traffic and alerts but is not positioned to drop it. Move to an inline pair to block.
Q9 · Evaluate

What is the best reason to start a new IPS deployment in inline tap before going inline pair?

Correct: b. Inline tap inspects a copy and forwards the original, so you can validate which traffic the policy would drop without any risk to production. Once tuned, you switch to an inline pair to actually block.
Q10 · Evaluate

Why group interfaces into security zones instead of writing policy per physical port?

Correct: c. Security zones let you write policy per logical zone (inside/outside/dmz) rather than per port, keeping rules readable and letting you add or move interfaces without rewriting the policy.
Lesson complete — saved to your profile.
Almost! You need 70% (7 of 10) — re-read the path that tripped you up and tap "Try again".

🧠 In your own words

Type one line: why can FTD 'see' a malicious packet and still not block it? Then compare with the expert version.

Expert version: Because whether FTD can drop a packet is decided by the interface mode, not by detection. A passive/SPAN (or ERSPAN) interface only receives a mirrored copy and is not in the traffic path, so it can raise an intrusion event but the real packet has already been delivered — alert, no drop. An inline tap also only inspects a copy and forwards the original. Only an inline pair sits in the path so Snort can actually drop the threat. On top of that, firewall mode is device-wide: routed is an L3 gateway (routing/NAT/VPN) and transparent is an L2 bridge via a BVI you insert without re-IP-ing. So the fix for 'sees but does not block' is almost always to move from passive/tap to an inline pair, and to write the policy per security zone.

🗣 Teach a friend

Best way to lock it in — explain it in one line to a teammate. Tap to generate a paste-ready summary.

📖 Glossary

Firewall mode
A device-wide setting: routed (L3 gateway doing routing, NAT and VPN) or transparent (L2 bridge using a BVI).
Routed mode
The default firewall mode — FTD is a routed L3 hop; each interface has an IP and the device routes, NATs and terminates VPN.
Transparent mode
An L2 bump-in-the-wire that bridges between interfaces using a BVI, letting you insert FTD without re-IP-ing the network.
BVI (Bridge Virtual Interface)
A logical interface that gives a transparent bridge group an IP for management and represents the bridged segment.
Inline pair
Two interfaces placed directly in the traffic path so packets pass through FTD and Snort can drop a malicious packet — active IPS.
Inline tap
Inspects a copy of in-path traffic while forwarding the original; it can alert on what would be blocked but cannot drop the original.
Passive / SPAN
An interface that receives a mirrored copy from a switch SPAN port; monitor-only — it alerts but is not in the path and cannot drop.
ERSPAN
Encapsulated Remote SPAN — passive monitoring where mirrored traffic is GRE-encapsulated and delivered to FTD across a routed network.
Security zone
A logical grouping of one or more interfaces so access control and IPS policy can be written per zone instead of per physical port.

📚 Sources

  1. Cisco — Secure Firewall Management Center device config guide: routed and transparent firewall mode. cisco.com/go/secure-firewall
  2. Cisco — FTD interface modes: inline sets, inline tap, passive and ERSPAN. cisco.com
  3. Cisco — Transparent firewall mode and Bridge Virtual Interfaces (BVI). cisco.com
  4. Cisco — Security zones and interface groups in Secure Firewall Threat Defense. cisco.com
  5. Cisco — Choosing a deployment mode for Cisco Secure Firewall Threat Defense. cisco.com
  6. Cisco — Intrusion prevention with Snort 3 across inline and passive interfaces. cisco.com

What's next?

Got the modes straight? A natural next step is the access control policy itself — how prefilter, Security Intelligence and access control rules combine with these interface modes to allow, inspect or drop traffic on each zone.

Next · All interview lessons → Practice on exam.techclick.in →