High availability overview

Two Network IPS appliances mirror traffic in an existing high availability network environment with high availability (HA) mode.

How HA works

HA support is a configuration arrangement between two cooperating appliances. The appliances pass all traffic between them over mirroring links, ensuring that both appliances see all of the traffic over the network and maintain state. Both appliances process packets inline, block attack traffic that is arriving on their inline protection ports, and report events to the management console. Appliances in an HA pair see asymmetrically routed traffic to fully protect the network.

Supported network configurations

High availability networks are typically configured in one of two ways:
Table 1. Supported network configurations
Existing HA configuration Description
Primary/Secondary In this configuration, the traffic flows only on one of the redundant network segments and the primary devices on the network handle all of the traffic. If one of the devices fails, the traffic fails over to the secondary redundant network segment and the secondary devices take over.
Clustering In this configuration, the appliances balance the load between them. Both devices are active and see traffic all of the time.
The HA feature supports both of these network configurations. To accomplish this support, both appliances must maintain an identical state. The appliances are connected by mirror links that consist of multiple connections over multiple ports. These mirror links pass all traffic that an appliance receives on its inline ports to the other appliance. This action ensures the protocol analysis modules (PAM) on both appliances process all of the network traffic. In addition, the appliances process asymmetrically routed traffic. This approach ensures that there is no gap in protection during failover.
Note: If you run the Network IPS Setup when the HA feature is enabled, you cannot modify network settings.

HA and the SiteProtector system

You manage HA through the SiteProtector™ Agent Manager. You must put both appliances in an HA configuration in the same SiteProtector system group. The SiteProtector system can then synchronize appliance updates, including XPUs and policy updates. Each appliance reports to the SiteProtector system by using a unique ID.

HA and the Network IPS Local Management Interface

You can view HA configurations and set the HA mode in the Network IPS Local Management Interface. However, use the SiteProtector system to manage appliances in inline HA configurations.
Note: You can configure both HA partner appliances to use the same policies.
You can apply content updates and firmware updates serially so that one appliance is always operational to maintain network connectivity.

HA processing, blocking, reporting, and generating responses

Appliances in an HA pair process all packets that are received from inline ports and mirror ports. However, the appliances block attacks, report events, and generate responses for events that only occur on their inline ports. They do not block, report, or generate responses for traffic that occurs on mirror ports. The appliances only process mirror port traffic.

Both appliances see all traffic at all times. There is no lapse in security if a failover occurs. Both appliances maintain current state, so if one HA network segment fails, the other appliance receives all packets on its inline ports. The network remains protected without interruption.
Note: A few attacks, particularly sweep attacks such as Port Scans, can generate duplicate events, one from each appliance in a clustered configuration.

HA modes

In an HA configuration, the appliance can operate in inline simulation only or inline protection mode. Passive monitoring mode is not supported. When you select an HA mode, all inline adapters are put in the corresponding adapter mode automatically.

HA does not address the availability or fault-tolerance of the appliances themselves. No separate high availability solution exists for appliances that are configured and wired for passive monitoring mode. You can configure appliances by using the following high availability modes:

Table 2. HA appliance modes
Setting Description
HA Protection Both HA partner appliances monitor traffic inline, and each report and block the attacks that are configured with block response, quarantine response, and firewall rules. The appliances monitor HA group segments through mirror links – ready to take over reporting and protection in case of network failover.
HA Simulation Both HA partner appliances monitor traffic inline but do not block any traffic. Instead, both appliances monitor traffic and provide passive notification responses. The appliances monitor HA group segments through mirror links – ready to take over notification in case of network failover.
Geographical HA Both HA partner appliances share the quarantine state and share quarantine rules through their management ports. Communication between appliances is encrypted and requires certificates.

Licensing

Licensing for an HA configuration is identical to licensing for a non-HA appliance. Each individual appliance requests a single license from the SiteProtector system.

HA considerations