Just want to check is the 2 different model of NSP sensor can be paired as a HA?
Example: Primary: NS7200, Secondary: NS7100
No, you can't configure 2 different models of senor into a HA pair according to the IPS Admin Guide, available at the link below
Network Security Platform documentation reference guide
I would like to expand on Peter's response. Although he is correct that you cannot use the McAfee NSM to configure different models as HA pair, that doesn't stop you from using your upstream devices to fail over to another pipe out that traverses a different model sensor. You would lose things like session data from half completed sessions and that would cause a minor disruption / lack of alerting on that traffic, but it is essentially the same thing as HA.
We could always argue about this: "loosing IPS scanning data is *High Availability*.. or not I guess?"
As mjesmer explained - You don't need two physical IPS devices *connected* in High-Availability pair mode (in other words, a physical Interconnect link) to cover redundant paths.
If you put aside the different models for a second... you can even use that statement with the same 2 x physical nsp devices...and that will still - somehow - be true...:
Say I have a datacentre in NY and one in London? How do I pair the devices? Maybe you could call some friends to lay down a long enough interatlantic cablle..
But the reality is that you can only configure those devices as 'standalone sensors' and set them to scan the traffic in "Stateless mode". This means, that any signature that is based on understanding the state of the traffic cannot be used, and therefore it will be disabled when using STATELESS inspection: think this - was the 3-way TCP handshake following the RFC standard? - OR have I seen a SYN-ACK packet before this ACK response packet?
They don't care about the 'state of the traffic' at any given time. Out of order packets etc, willl also be allowed. That means, you can potentially fail to detect some attacks.
If I remember well, 10% of the attacks on the sigset are statefull, so you would be still detecting 90% of the signatute/protocol anomaly based attacks. Too bad or not? that will depend on your requirements.
So if your high availability networks are designed to *not to lose any data*, and you require full IPS inspection on that data.... using different sensor models - or same sensor models without the interconnect link - in a stateless inspection mode... could raise some red flags, from my point of view.
then you can always get, obviously, on how is the traffic flowing? I.e. symettric traffic, asymmetric traffic, etc etc... this will also have an impact and my lower (or not) the need for statefull inspection...