CS-MARS with ASA failover pair and IPS

Unanswered Question
Jun 24th, 2007

Hi.

Has anyone implemented CS-MARS with ASA in active/standby, each with IPS modules?

What is the procedure for adding the devices to CS-MARS - do I define each box separately -(remember the active and standby both have the same name) or do I just define one ASA using the failover address?

Any reccommendations would be welcome,

regards

Mick.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
joemarr_brodart Sun, 06/24/2007 - 10:45

I?ve asked this question before but never really received a response. So what I'm about to say is based only on my experience.

I added only the active firewall, and then added each IPS blade as a module to the active firewall.

The only drawback is that MARS does not seem to acknowledge failover capabilities. I say this because only one IPS blade (obviously)generates alerts, so the second blade will cause MARS generate an Inactive CS-MARS reporting device event.

m.reay Sun, 06/24/2007 - 23:44

Thanks for the reply.

That is exactly the way I set it up - Active ASA with both modules defined in the active device.

About the second module not generating alarms - I wouldn't expect it to whilst it was in standby mode as it wouldn't be passing traffic.

When the ASA fails over - the second module should then start to generate alerts.

m.reay Mon, 06/25/2007 - 12:03

Hi Andrew - thanks for replying.

I actually added the ASA using the active addresses and added both of the IPS devices as modules of the ASA rather than as separate devices.

This seems to work fine - can you see any problem doing it this way?

Thanks and regards

Mick.

andrew.burns Mon, 06/25/2007 - 23:33

Hi Mick,

That should work fine - as far as I can tell MARS doesn't care whether the IPS modules are internal or external. I tried it both ways and couldn't see any difference in functionality.

HTH

Andrew.

Actions

This Discussion