Two Network IPS appliances mirror traffic in an existing high availability network environment with high availability (HA) mode.
HA support is a configuration arrangement between two cooperating appliances. The appliances pass all traffic between them over mirroring links, ensuring that both appliances see all of the traffic over the network and maintain state. Both appliances process packets inline, block attack traffic that is arriving on their inline protection ports, and report events to the management console. Appliances in an HA pair see asymmetrically routed traffic to fully protect the network.
Existing HA configuration | Description |
---|---|
Primary/Secondary | In this configuration, the traffic flows only on one of the redundant network segments and the primary devices on the network handle all of the traffic. If one of the devices fails, the traffic fails over to the secondary redundant network segment and the secondary devices take over. |
Clustering | In this configuration, the appliances balance the load between them. Both devices are active and see traffic all of the time. |
You manage HA through the SiteProtector™ Agent Manager. You must put both appliances in an HA configuration in the same SiteProtector system group. The SiteProtector system can then synchronize appliance updates, including XPUs and policy updates. Each appliance reports to the SiteProtector system by using a unique ID.
Appliances in an HA pair process all packets that are received from inline ports and mirror ports. However, the appliances block attacks, report events, and generate responses for events that only occur on their inline ports. They do not block, report, or generate responses for traffic that occurs on mirror ports. The appliances only process mirror port traffic.
In an HA configuration, the appliance can operate in inline simulation only or inline protection mode. Passive monitoring mode is not supported. When you select an HA mode, all inline adapters are put in the corresponding adapter mode automatically.
HA does not address the availability or fault-tolerance of the appliances themselves. No separate high availability solution exists for appliances that are configured and wired for passive monitoring mode. You can configure appliances by using the following high availability modes:
Setting | Description |
---|---|
HA Protection | Both HA partner appliances monitor traffic inline, and each report and block the attacks that are configured with block response, quarantine response, and firewall rules. The appliances monitor HA group segments through mirror links – ready to take over reporting and protection in case of network failover. |
HA Simulation | Both HA partner appliances monitor traffic inline but do not block any traffic. Instead, both appliances monitor traffic and provide passive notification responses. The appliances monitor HA group segments through mirror links – ready to take over notification in case of network failover. |
Geographical HA | Both HA partner appliances share the quarantine state and share quarantine rules through their management ports. Communication between appliances is encrypted and requires certificates. |
Licensing for an HA configuration is identical to licensing for a non-HA appliance. Each individual appliance requests a single license from the SiteProtector system.