Its been a short while since I have deployed NSPs (I believe the last I deployed were 6.1) and just looking to refresh my head with regards to the requirements for assymetric routing environments. Looking at the IPS Administration Guide (v7.5 rev C) p46, under 'interface groups', it states:
"An interface group, also known as port clustering in networking parlance, combines the traffic processed on separate Sensor interfaces—or, in the case of a Failover Pair, on separate Sensors—into a single logical interface for state and intrusion analysis."
which would seem to me to state clearly that if we do have separate sensors in a failover pair, in order to allow for the correct processing of traffic in an asymmetric routing environment, an interface group needs to be configured. That makes sense to me, however under 'primary v active' (section before 'interface groups'), we have the following:
"This Active‑Active configuration provides the added benefit of supporting asymmetric traffic flows (that is, when packets belonging to the same TCP/UDP flow are divided across Sensors). Thus, the Network Security Platform failover pair will detect attacks even when the traffic is asymmetric. This topic is discussed, in the section Interface groups."
This appears to imply in the first instance that the support of asymmetric routing is there by default - the second part, however, refers to the 'interface groups' section.
My question is, as the sensors in a failover pair are always *really* active-active (as per p44 "In Network Security Platform, because both failover Sensors must be ready to process packets on their monitoring ports at all times, both Sensors are actually active at all times"), I am taking it that the latter section below should really read "... the Network Security Platform failover pair will detect attacks even when the traffic is asymmetric, *and* the respective port pairs have been assigned to interface groups, as per section 'interface groups", or in other words, if an interface group is not created, then the sensor pair will *not* detect attacks when the traffic is asymmetric.
Could somebody verify my understanding or possibly explain where I am going wrong if I have misunderstood?
Further to this, p31 in the same document states:
"Furthermore, a Sensor can also monitor asymmetrically routed traffic where the traffic comes in on one link and goes out another link, because the state machine on the Sensor associates the inbound and outbound traffic efficiently."
Am I correct in saying that this statement should reflect the fact that this only works if interface groups have been correctly configured? The former statement seems to imply that in an asymmetrically routed environment, monitoring 'just works' - whereas this is not the case.