The failover is only applicable to the ASA. For the IPS the configuration has to be replicated manually. IPS is always active. If traffic flows through it it will do the inspection. you could do the FTP part for the configuration. If you manage through CSM or VMS. You could possibly push same configuration to the IPS device and also tune signatures on both without having to do them seperately. omething to keep in mind. The 2 SSMs each need their own independant names and ip addresses. If you are using blocking/shunning then only one of the 2 SSMs can block/shun on the firewall.
The rest of the configuration can be the same between the 2 sensors.Automatically copying the configuration on the secondary IPS is planned for the future according to Cisco.
MARS has to be configured to talk to the IPS SSMs in each of the 2 ASAs independantly. MARS needs to treat them as 2 separate sensors.
The ASAs are capable of active/active configurations when using multiple contexts.
For context A the ASA on the left can be active and the ASA on the right in standby.
For context B, however, the ASA on the left can be in standby, and the ASA on the right be active.
So traffic can be actively flowing through each ASA.
So the SSM in the left ASA would be monitoring traffic in context A.
And the SSM in the right ASA would be monitoring traffic in context B.
(NOTE: During an ASA failure, both contexts would be made active in the other running ASA, and both contexts monitored by the SSM in the running ASA.)
Because both SSMs are actively monitoring, each SSM needs its own ip address and MARS needs to connect to and monitor both SSMs.
Unlike the ASA where the ASA has an ip address unique to each context (and passed between ASAs during a failover). The SSMs do NOT have ip addresses unique to the contexts. The SSM has just it's single IP address regardless of the number of contexts or failover configuration of the ASA.
In the future the plan is to have the 2 SSMs be able to sync their sensing configuration settings, but even then they will still each need their own unique ip address and name, because in an active/active ASA configuration both of the SSMs will be actively monitoring different traffic.
So MARS will always need to connect to each SSM's ip address uniquely.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...