We have two edge firewalls with Active/ Active setup connected directly to two core switches. New two IPS sensor s4260 are required to be connected inline between the firewalls and core switches. What is the best practice design for such a scenario? Does the below diagram work fine in this case or another design is applicable.
Re: 4260 Sensor connected to Active/ Active firewalls
The ASAs are virtualized and running security contexts (since you mentioned A/A Failover). The IPS sensors should connect inline.
The IPS are transparent to the network (L2) and don't require readdressing. It seems to me, that it depends on the amount of security contexts that you have on the pair of ASAs and the connection between those ASAs and the Core Switches (to make sure all traffic flowing between the ASAs and the Switches go through the IPS Sensors).
What I've done is to put the IPS sensors in IDS mode for some days and then place them inline (to make sure they can deal with the amount of traffic).
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...