IDSM placement and redundancy question

Answered Question
Jun 22nd, 2008
User Badges:

Hi, Does the IDSM-2 support any sort of redundancy protocol?

I can't see anything in the config guide.

If I wanted to place a redundant pair on the outside of a pair of firewalls, how would I manage the redundancy of them.


My other question is, is it better to place the IDSM on the outside of external facing firewalls or on the inside?


Many Thanks, Dom

Correct Answer by Farrukh Haroon about 8 years 9 months ago

Please see the attached file for some design guidelines.


Regards


Farrukh



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Farrukh Haroon Sun, 06/22/2008 - 07:35
User Badges:
  • Red, 2250 points or more

The IDSM-2 supportes redundancy through the etherchannel protocol. I can send you a sample config if you want.


IPS systems are generally placed behind firewalls because they have more throughput challenges than firewalls and by virtue of being behind the firewall they have to filter/scan less traffic.


Regards


Farrukh

d-fillmore Tue, 06/24/2008 - 02:46
User Badges:

Yeah that'd be great if you could.

Many Thanks in advance

Dom

Farrukh Haroon Tue, 06/24/2008 - 03:37
User Badges:
  • Red, 2250 points or more

These are two IDSM-2s connected to slot four and give of the same chassis. We are running FWSM >> MSFC OUTSIDE setup. All InterVLAN traffic is evaluated first by the IDSM than by the FWSM. Users default gateway is the FWSM.


Here you go:


intrusion-detection module 4 management-port access-vlan 100

intrusion-detection module 5 management-port access-vlan 100

intrusion-detection module 4 data-port 1 channel-group 5

intrusion-detection module 4 data-port 2 channel-group 6

intrusion-detection module 5 data-port 1 channel-group 5

intrusion-detection module 5 data-port 2 channel-group 6

intrusion-detection port-channel 5 trunk allowed-vlan 200-204,208

intrusion-detection port-channel 5 trunk allowed-vlan 708

intrusion-detection port-channel 5 autostate include

intrusion-detection port-channel 5 portfast enable

intrusion-detection port-channel 6 trunk allowed-vlan 260,280,400,401

intrusion-detection port-channel 6 trunk allowed-vlan 111-114

intrusion-detection port-channel 6 autostate include

intrusion-detection port-channel 6 portfast enable


Regards


Farrukh

d-fillmore Tue, 06/24/2008 - 08:15
User Badges:

Thanks for your response Farrukh, I don't think I was clear enough in my original post. I meant chassis to chassis redundancy.

My client insists on putting the IDSMs on the outside of the firewall, in front of a pair of FWSMs (in seperate chassis).

Maybe there isn't a need for a HA relationship between the IDSMs as the active FWSM will ensure that the traffic flows through one of the IDSMs and no the other?

Cheers, Dom

Actions

This Discussion