IPS Online Failover

Answered Question
Aug 29th, 2010

Hi

I want proposed inline IPS in a network, but have option like ASA failover option. If one IPS failed then all network down then what to do.

so what I take decession IPS work under promicious mode  . Pls expect good suggation.

Regards

Biplob

I have this problem too.
0 votes
Correct Answer by terrygwazdosky about 6 years 4 months ago

Unfortunately there is no failover mechanism for the IPS sensors.  You can configure the sensor to fail open so that if the IPS engine fails traffic will bypass inspection and continue to flow.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Correct Answer
terrygwazdosky Sun, 08/29/2010 - 13:31

Unfortunately there is no failover mechanism for the IPS sensors.  You can configure the sensor to fail open so that if the IPS engine fails traffic will bypass inspection and continue to flow.

rhermes Mon, 08/30/2010 - 06:58

Please keep in mind that the Fail Open capability of the Appliance sensors (except for the 4260 and 4270) are SOFTWARE Fail Open.

This means that if an IPS Sensor looses power you do not get put into bypass. If the sensor crashes badly enough you do not get put into bypass, because the sensor needs to realize that is has failed in order to put itself into bypass.

You have a few alternatives:

1) Put your single sensor in promiscious mode. No matter how badly it fails, you will not impact traffic. You will not get in-line IPS dropping of single packet attacks, but you can perform shunning (via and ACL) to a router or firewall.

2) Use an external Fail Open switch. There have been several forum discussions that describe how to use an external switch and STP to bypass a failed sensor. Switches are pretty reliable, more so than Sensors.

3) Use 2 sensors on daul rails with fail closed.

- Bob

Actions

This Discussion