4260 Sensor connected to Active/ Active firewalls

Unanswered Question
Mar 30th, 2010

I have the following scenario:

We have two edge firewalls with Active/ Active setup connected directly to two core switches. New two IPS sensor s4260 are required to be connected inline between the firewalls and core switches. What is the best practice design for such a scenario? Does the below diagram work fine in this case or another design is applicable.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Federico Coto F... Tue, 03/30/2010 - 15:46


The ASAs are virtualized and running security contexts (since you mentioned A/A Failover).
The IPS sensors should connect inline.

The IPS are transparent to the network (L2) and don't require readdressing.
It seems to me, that it depends on the amount of security contexts that you have on the pair of ASAs and
the connection between those ASAs and the Core Switches (to make sure all traffic flowing between the ASAs
and the Switches go through the IPS Sensors).

What I've done is to put the IPS sensors in IDS mode for some days and then place them inline (to make sure
they can deal with the amount of traffic).

Let me know if you have any questions.


thaer.issa Tue, 03/30/2010 - 15:53

Thanks Federico

Actually the firewalls are Netscreen? Is there any difference?

What about the physical connections? Is the above diagram and design valid so I can evaluate the traffic using VLANs separation and make each IPS handle only the traffic coming to one core switch??

Federico Coto F... Tue, 03/30/2010 - 16:16

Hi Thaer,

I don't see any problem with that.

Just make sure the traffic that passes through the sensor is symmetric.

As I mentioned, if possible try to set up the IDS in promiscuous mode first before setting the sensor in IPS mode.


thaer.issa Tue, 03/30/2010 - 16:18

What do you mean by symmetric? How can I insure this?

Thanks for your help.

Federico Coto F... Tue, 03/30/2010 - 16:26

What I mean by symmetric is that the same sessions that enter the IPS, they come back through the same IPS.

For example, traffic from VLAN X will flow through IPS-1 and when the response comes back, traffic should be inspected again by IPS-1.

If VLAN Y outbound traffic flows through IPS-2, then VLAN Y inbound traffic should flow through IPS-2 as well.

You manipulate this behavior by means of routing on the network devices (not the IPS Sensors).



This Discussion