topic The management of software in Network Security

ASA 5525-X IPS Management IP addresses in HA mode

dpuranik — Tue, 12 Mar 2019 04:19:33 GMT

I am going to install ASA5525-X Firewall in HA mode and both have Software IPS modules and I was wondering how the management IP address will be configured in HA mode.

Is both IPS will have same management IP address?

I looking for some sample config for IPS management IP address configuration in HA mode.

Thanks,

There should not be any big

nkarthikeyan — Thu, 12 Jun 2014 15:44:20 GMT

There should not be any big difference in configuration for management. Even in normal scenario we can have the management access through both the active and stand by IP addresses to the respective devices. All it happens with mac address that uses when it is configured in failover mode.

Hope this helps

Regards

Karthik

The management of software

Marvin Rhoads — Thu, 12 Jun 2014 20:15:06 GMT

If you haven't seen it already, please review the ASA IPS Module Quick Start Guide.

The management of software IPS modules uses the physical management interface of the 5525-X with an IP address that is specified in the setup of the IPS module. This is distinct from any management address you may have setup in the base ASA.

Each IPS will have its own unique IP address.

The IPS modules themselves are not HA-aware and are essentially managed as two independent units. This improves if you move to the NGFW IPS and manage the unit via PRSM on an external server. In that scenario, the HA pair of IPS's are managed as a collective entity

The base ASAs of course share the service policy used to redirect traffic for IPS inspection and (when the service-policy calls for IPS module inspection) also verifies the operational state of the IPS modules as one of the checks done to validate failover status.