I am new to NIPS and I have read a lot of documentation ,product guides and discussions about NIPS and NSM. We are planning to implement IPS sensors in our new datacentre. We are on the stage where planning and designing are in process. But I have a query regarding failover configuration. We have two datacentres and using one firewall per datacentre which will be configured as failover to each other. The firewall is checkpoint firewall. Now if we implement IPS sensor in one datacentre and considering the failover, we cannot connect two the IPS sensors to one checkpoint firewall.
Also, we are not using bypass units( since the customer do not allow the traffic without monitoring). So, if we implement two IPS using one firewall and connect the ports with Link agregation on firewall, would it possible to divert traffic from one IPS and other will be failover. So, in case one IPS goes down, another will be active since both are in failover.
My question here is that, will link agregation ( binding two physical ports in virtual IP address on firewall) help in failover configuration? attached is the logical diagram for refrence.
Will one IPS will work as active here and another will be failover? Please help
i don't know if i fully understand the question or two datacentre requirement.
My question here is that, will link agregation ( binding two physical ports in virtual IP address on firewall) help in failover configuration?
sure, it would help provide redundancy on that network, but the NSP IPS sensors won't really care. Each one will inspect the traffic which passes through it's inline port pair. HA on the NSP sensors work by forwarding all inspected packets and alert data to the peer NSP device via the HA cable. So each NSP sensor is aware of all scanned traffic on both links. if one link fails, the VIP will be broadcasted on the single active firewall interface, and IPS inspection will continue to occur on that link.
Does it mean that data will be monitored from both devices before it will be allowed to pass to core switch? Will the failover IPS connected in HA will not just act as secondary that will keep record of all the sessions of primary. Please can you help me with this point as this is really confusing, the main thing in question is whether link agregation is helpful if I just need only one IPS as active and other should be configured just for HA and should not be active to monitor the data .
Does it mean that data will be monitored from both devices before it will be allowed to pass to core switch?
Yes, kind of. Traffic will be monitored as it flows inbound/outbound through the FW to core switch. If a packet flows over path #1, it will be monitored by IPS #1. Over path #2, then monitored by IPS #2. These IPS sensors are setup as a FO Pair -- therefore IPS #1 will share all events with IPS #2 and vice versa. Whichever IPS detects the alert, it will be the one responsible for forwarding to NSM.
Will the failover IPS connected in HA will not just act as secondary that will keep record of all the sessions of primary.
Correct, it will act as more than just a secondary IPS monitoring the sessions and health of the primary. It will function as a fully operational IPS sensor, capability of monitoring, alerting, and blocking on any detected events.
Regarding whether or not link aggregation is helpful, etc., i guess that's really for you or your network engineers to decide. based on your network and business requirements.