5 Replies Latest reply on Apr 19, 2017 1:16 AM by santonic

    HA pair - enable fail-open option

    santonic

      I'm a bit confused about this option. So if I don't have this option enabled on failover pair no pair of ports on the devices (in this pair) will be able to fail-open? Even if mode on all (pairs of) ports is set to fail-open?

        • 1. Re: HA pair - enable fail-open option
          mjesmer

          Santonic,

           

          The documentation is kind of murky at best.

           

          "7 Enable fail-open for the monitoring ports by selecting Enable for Allow Monitoring Ports to be Configured to Fail Open? option. Enabling this option enables the ability of monitoring ports to permit fail-open configuration. It signifies your intent on whether to prioritize transport over security or prioritize no-network-disruption over traffic monitoring by IPS. McAfee recommends one of the following: • Enabled fail-open configuration: • However, configure the monitoring ports on the primary Sensor as Inline Fail Closed so that they do not fail-open but indicate primary Sensor failure. This causes upstream traffic to be routed to the secondary Sensor thereby continuing traffic monitoring. • Additionally, configure the monitoring ports on the secondary Sensor as Inline Fail Open so that, in case both Sensors have failed traffic bypasses the HA pair. • Disabled fail-open configuration: • This ensures that the primary Sensor will not fail-open in case of a failure. • Nevertheless, configure the monitoring ports on the primary Sensor as Inline Fail Closed so that they do not fail-open but indicate primary Sensor failure. This causes upstream traffic to be routed to the secondary Sensor thereby continuing traffic monitoring. • Additionally, explicitly configure the monitoring ports on the secondary Sensor as Inline Fail Open so that, in case both Sensors have failed traffic bypasses the HA pair."

           

          This is essentially telling you McAfee Recommends setting it one way for fail open config, and one way for the other....except that the individual device/port settings still matter.

           

          The way I would handle this is to set the Fail Over Pair config to Enable Fail-Open and then set the ports accordingly.

           

          So their example and best practice for HA Pairs is to Set the Primary Sensor to Fail Closed, and then set the Secondary Sensor to Fail Open, giving you redundancy for scanning and then minimizing downtime when/if second sensor fails because it will fail open.

           

          Hope that helps, kinda still murky.

          1 of 1 people found this helpful
          • 2. Re: HA pair - enable fail-open option
            santonic

            Yeah, murky is a good word. We've been reading that part repeatedly from documentation even before i was posting this, but after each reading we came to different conclusion.

             

            Was hoping someone actually tried it and can clear the murkiness. Thank you for your reply, I'll wait a bit longer then ask this directly to McAfee.

            • 3. Re: HA pair - enable fail-open option
              d_aloy

              Hi Santonic

               

              This is what I've got from McAfee when discussing this config option:

               

              This configuration goes down to both sensors in HA pair and controls the behaviour of each unit in the HA pair looking to fail-over to its peer unit.

               

              If enabled, when the primary sensor has a failure, it will fail open instead of fail over to the HA peer - so the user will try to ensure that traffic bypasses the primary resulting in no outage from its point of view, while staying in the primary's path.

              • This also requires that the ports on the primary sensor have either a built-in or external Passive failopen or Active failopen kit attach to them.
              • If the primary is configured in IFC (inline fail-close), then the primary's failure will cause outage.
              • So the primary ports should be configured in IFO (inline fail-open) if this is enabled on the primary sensor.

               

              However, most users deploying a HA pair, have the luxury of prioritising Security.

              • If the primary fails (losing IPS), they can fail over to the secondary (continuing IPS),
              • When the secondary fails, they make it fail open (by making its ports go to bypass, thus losing IPS).
              • This ensures that the secondary does a fail open and itself does not try to fail over back to primary…causing a fail over ping pong.

               

              So the recommended configuration in HA deployments is one of the following (both achieving the same)

              1.       Enable this configuration.

              • Configure primary ports in IFC so they don’t fail open but cause outage from primary pov.
              • This causes upstream traffic to fail over to peer.
              • IPS is maintained via the peer HA unit.
              • Configure secondary ports in IFO so they do fail open on failure and traffic bypasses the HA peer.

               

              2.       Disable this configuration.

              • This ensures primary will not fail open but fail over to HA retaining IPS.
              • Leave the primary ports in IFC.
              • Enable IFO explicitly on HA peer so on failure it can bypass traffic.

               

               

              So basically, the 'Allow fail-open' should allow the user to configure the Primary's sensor ports in a Fail-open configuration to maintain the traffic on the primary's path in the event of failure (and you will need the builtin or external fail-open kits configured for this).

              If the 'Allow fail-open' is not enabled, then the primary's sensor ports should not be configured to fail-open but set to fail-close, causing the traffic to be redirected to the secondary's path, where you can then configure the ports to be in failopen mode.

               

              Hope this makes sense.

               

              Regards

              David

              2 of 2 people found this helpful
              • 4. Re: HA pair - enable fail-open option
                mjesmer

                This answer should be marked correct.

                 

                Great job d_aloy, thanks for the post.

                • 5. Re: HA pair - enable fail-open option
                  santonic

                  Yeah, that explains everything, thanx d_aloy.