Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

4260 Sensor connected to Active/ Active firewalls

I have the following scenario:

We have two edge firewalls with Active/ Active setup connected directly to two core switches. New two IPS sensor s4260 are required to be connected inline between the firewalls and core switches. What is the best practice design for such a scenario? Does the below diagram work fine in this case or another design is applicable.

design.jpg

5 REPLIES

Re: 4260 Sensor connected to Active/ Active firewalls

Hi,

The ASAs are virtualized and running security contexts (since you mentioned A/A Failover).
The IPS sensors should connect inline.

The IPS are transparent to the network (L2) and don't require readdressing.
It seems to me, that it depends on the amount of security contexts that you have on the pair of ASAs and
the connection between those ASAs and the Core Switches (to make sure all traffic flowing between the ASAs
and the Switches go through the IPS Sensors).

What I've done is to put the IPS sensors in IDS mode for some days and then place them inline (to make sure
they can deal with the amount of traffic).

Let me know if you have any questions.

Federico.

Community Member

Re: 4260 Sensor connected to Active/ Active firewalls

Thanks Federico

Actually the firewalls are Netscreen? Is there any difference?

What about the physical connections? Is the above diagram and design valid so I can evaluate the traffic using VLANs separation and make each IPS handle only the traffic coming to one core switch??

Re: 4260 Sensor connected to Active/ Active firewalls

Hi Thaer,

I don't see any problem with that.

Just make sure the traffic that passes through the sensor is symmetric.

As I mentioned, if possible try to set up the IDS in promiscuous mode first before setting the sensor in IPS mode.

Federico.

Community Member

Re: 4260 Sensor connected to Active/ Active firewalls

What do you mean by symmetric? How can I insure this?

Thanks for your help.

Re: 4260 Sensor connected to Active/ Active firewalls

What I mean by symmetric is that the same sessions that enter the IPS, they come back through the same IPS.

For example, traffic from VLAN X will flow through IPS-1 and when the response comes back, traffic should be inspected again by IPS-1.

If VLAN Y outbound traffic flows through IPS-2, then VLAN Y inbound traffic should flow through IPS-2 as well.

You manipulate this behavior by means of routing on the network devices (not the IPS Sensors).

Federico.

537
Views
0
Helpful
5
Replies
CreatePlease to create content