Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Attention: The Community will be in read-only mode on 12/14/2017 from 12:00 am pacific to 11:30 am.

During this time you will only be able to see content. Other interactions such as posting, replying to questions, or marking content as helpful will be disabled for few hours.

We apologize for the inconvenience while we perform important updates to the Community.

New Member

how to config IPS module of ASA failover?

With the ASA firewalls work as failover group,how can i config the IPS module of them work as failover too?When ASA firewall works,i just need config primary one,then,how to deal with IPS mudules of ASA firewall?

4 REPLIES

Re: how to config IPS module of ASA failover?

Hi .. I am assuming you are configuring Active/Standby right .? The Modules as such are almost independent of the ASA. And they are independent of each other. You would have to configure the modules manually with similar configuration. I think the only different set you might need to make unique is the sensor's management IP addresses. Everything else should be the same. In this way when Active ASA is up then traffic will be inspected by its sensor module. When failover takes over to the secondary ASA then traffic will flow by its interfaces and will be be inspected by its Sensor module. There will not be an automatic synchronization between the modules. Any changes will have to be done manually in every sensor.

I hope it helps .. please rate it if it does !!!

New Member

Re: how to config IPS module of ASA failover?

cool,thank you!

Re: how to config IPS module of ASA failover?

Hi,

There is NO failover capability of IPS modules in an ASA, which means the following:

1) You need to set them up as independent IPS modules, with different IP's.

2) If you make a change on one then you'll need to make the change on the other if you want them to be in sync.

3) If you update signatures on one then you'll also have to update signatures on the other to keep them in sync. (This is easier if you use CSM to create a signature policy - or you can configure all your IPS to get updates from an ftp server)

So, whenever the primary ASA is active you'll get events from the IP of the primary IPS, but in a failover scenario you'll suddenly start to get events from a different IP (the sensor in the secondary ASA).

One final tip - if you upgrade the software on the sensor in the primary ASA you'll cause a failover because a sensor reboot causes the ASA to think it's failed.

HTH

Andrew.

New Member

Re: how to config IPS module of ASA failover?

ok!that is great,thank you.

283
Views
9
Helpful
4
Replies
CreatePlease to create content