Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
245
Views
4
Helpful
2
Replies

Secondary CS-MARS appliance deployment question

gautamzone
Level 1
Level 1

‎12-02-2006 12:23 AM - edited ‎03-09-2019 04:59 PM

Hi friends,

I have two 100e CS-MARS appliance and I am just contemplating the use of one 100e MARS appliance as secondary in the network. I wanted to clarify a few things:

1. The Install / Setup guide for CS-MARS tells me that I can use the Secondary MARS appliance if I put the primary MARS appliance offline. Isn't it possible to use a secondary mars appliance with a different IP and use it just to analyze old archived event data?

2. If I choose to deploy any CS-MARS appliance as a standby only, does CS-MARS understand any dynamic protocol like HSRP that can be used to automatically failover to the secondary

in the event of a failure?

Would appreciate any inputs on deploying secondary / standby MARS appliance

Thanks a lot

Regards

Gautam

Labels:
0 Helpful
2 Replies 2

mhellman
Level 7
Level 7

‎12-03-2006 07:42 PM

1) I believe what they're referring to is a second CSMARS that has the same configuration as the other (for example, restored using pnrestore). You can probably have both online at the same time, if you plan it carefully. You have to at least consider:

a) devices where information is pulled (i.e. Cisco IPS, Checkpoint, Windows)

b) SNMP to network devices

c) the archive settings

d) rules with notifications

e) you'll have to update the license after a restore

f) obviously you'd have to change the IP address

Regarding using the second appliance to analyze old archived data, I keep hearing people talk about that but fail to see how it's feasible. I'm not aware of a pnrestore option that allows you to restore a range of dynamic data. I believe you can only restore from a certain date in the past to the present. Cisco recommends simply manipulating the archive date so that only the correct range is available. I don't consider that even remotely realistic or advisable.

2) no, there is no support for automatic failover.

We have a secondary device for DR purposes. It runs concurrently, for testing only. In the event of a failure of the primary, we will use pnrestore to recover it from archived data. We have tested this numerous times and it works.

gautamzone
Level 1
Level 1
In response to mhellman

‎12-05-2006 01:43 AM

Thanks a lot for the answer Hellman. That was really helpful.

0 Helpful
Customers Also Viewed These Support Documents