For
Network IPS appliances, choose the appropriate behavior
to decide whether to enable or disable the Inspect HA mirrored
ports check box on the SNORT Configuration tab.
Enable
The
SNORT systems that are running
on appliances in an HA pair inspect packets from mirrored ports. This
behavior applies to pairs that are running in inline protection or
inline simulation mode. This option increases the possibility of duplicate
global responses and SiteProtector™ system
alerts. However, this option decreases the chance that SNORT systems
miss attacks because the systems analyze all packets, including packets
from mirrored ports.
Disable
The
SNORT systems that are running
on appliances in an HA pair do not inspect packets from mirrored ports.
This behavior applies to pairs that are running in inline protection
or inline simulation mode. This option minimizes the possibility of
duplicate global responses and SiteProtector system
alerts. However, this option limits the ability of the SNORT systems
to analyze all traffic.
Important: When this option is
disabled, it is possible for one of the SNORT systems to miss an attack.
Also, the quarantine rules that are generated from SNORT events might
be out of sync on the appliances in the HA pair.