Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
745
Views
9
Helpful
4
Replies

how to config IPS module of ASA failover?

nantian800
Level 1
Level 1

‎09-14-2006 07:16 PM - edited ‎03-10-2019 03:13 AM

With the ASA firewalls work as failover group,how can i config the IPS module of them work as failover too?When ASA firewall works,i just need config primary one,then,how to deal with IPS mudules of ASA firewall?

Labels:
0 Helpful
4 Replies 4

Fernando_Meza
Level 7
Level 7

‎09-14-2006 07:42 PM

Hi .. I am assuming you are configuring Active/Standby right .? The Modules as such are almost independent of the ASA. And they are independent of each other. You would have to configure the modules manually with similar configuration. I think the only different set you might need to make unique is the sensor's management IP addresses. Everything else should be the same. In this way when Active ASA is up then traffic will be inspected by its sensor module. When failover takes over to the secondary ASA then traffic will flow by its interfaces and will be be inspected by its Sensor module. There will not be an automatic synchronization between the modules. Any changes will have to be done manually in every sensor.

I hope it helps .. please rate it if it does !!!

nantian800
Level 1
Level 1
In response to Fernando_Meza

‎09-17-2006 05:07 PM

cool,thank you!

0 Helpful

andrew.burns
Level 7
Level 7

‎09-15-2006 12:45 AM

Hi,

There is NO failover capability of IPS modules in an ASA, which means the following:

1) You need to set them up as independent IPS modules, with different IP's.

2) If you make a change on one then you'll need to make the change on the other if you want them to be in sync.

3) If you update signatures on one then you'll also have to update signatures on the other to keep them in sync. (This is easier if you use CSM to create a signature policy - or you can configure all your IPS to get updates from an ftp server)

So, whenever the primary ASA is active you'll get events from the IP of the primary IPS, but in a failover scenario you'll suddenly start to get events from a different IP (the sensor in the secondary ASA).

One final tip - if you upgrade the software on the sensor in the primary ASA you'll cause a failover because a sensor reboot causes the ASA to think it's failed.

HTH

Andrew.

nantian800
Level 1
Level 1
In response to andrew.burns

‎09-17-2006 05:03 PM

ok!that is great,thank you.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card