SNORT and HA mode

For Network IPS appliances, choose the appropriate behavior to decide whether to enable or disable the Inspect HA mirrored ports check box on the SNORT Configuration tab.

Enable

The SNORT systems that are running on appliances in an HA pair inspect packets from mirrored ports. This behavior applies to pairs that are running in inline protection or inline simulation mode. This option increases the possibility of duplicate global responses and SiteProtector™ system alerts. However, this option decreases the chance that SNORT systems miss attacks because the systems analyze all packets, including packets from mirrored ports.

Disable

The SNORT systems that are running on appliances in an HA pair do not inspect packets from mirrored ports. This behavior applies to pairs that are running in inline protection or inline simulation mode. This option minimizes the possibility of duplicate global responses and SiteProtector system alerts. However, this option limits the ability of the SNORT systems to analyze all traffic.
Important: When this option is disabled, it is possible for one of the SNORT systems to miss an attack. Also, the quarantine rules that are generated from SNORT events might be out of sync on the appliances in the HA pair.