topic thank you Karsten in Network Security

IPS fail

engahmedsaied — Sun, 10 Mar 2019 13:32:47 GMT

hello all,

I face a problem when IPS fail all network behind it be not accessible,

so how can I check capability of box to support both

1-hardware bypass.

2-software bypass.

1) Which platform are you

Karsten Iwen — Tue, 19 Jan 2016 12:21:28 GMT

1) Which platform are you using? Not all support HW-bypass. You should find the needed information in the Data-Sheet of your platform.

2) In the configuration of you system. And that is (again) dependent of the platform you use.

cisco IPS 4510 - 7.3(4)E4

engahmedsaied — Tue, 19 Jan 2016 12:32:55 GMT

cisco IPS 4510 - 7.3(4)E4

is show tech-support command is useful ?

I have found that below every interface "hardware bypass capable = NO"

Is this tells that interface not supported in hardware bypass or hardware not set to that interface

There is no HW-bypass on the

Karsten Iwen — Tue, 19 Jan 2016 12:37:30 GMT

There is no HW-bypass on the 4500 as far as I know. But you can use software-bypass:

http://www.cisco.com/c/en/us/td/docs/security/ips/7-2/configuration/guide/idm/idmguide72/idm_interfaces.html#pgfId-1169786

thank you Karsten

engahmedsaied — Tue, 19 Jan 2016 12:46:21 GMT

thank you Karsten

last question in case of software bypass it can work on interface vlan pair ?

or require interface pair or this doesn't matter in case of software bypass

I know that software bypass will work in case of service engine stopped but if device rebooted due to time changing or anything will it work ?

Yes, it works with vlan pairs

Karsten Iwen — Tue, 19 Jan 2016 13:00:28 GMT

Yes, it works with vlan pairs. But be aware that the usecase for software bypass is a situation where the software still has full control of the system. If the signatures are updated, bypass can be used to make sure that no traffic is dropped.

But in every situation where the software doesn't have any control, software bypass can't work. That includes software-updates where the sensor reboots of failed/crashed IPS-software.

Hello,

abdallah malas — Thu, 21 Jan 2016 17:03:14 GMT

Hello,

I had a similar situation where I had a CX Module + Cisco Prime Security Manager with Next Generation IPS.

At the beginning when the CX Module Fails (IPS) no traffic is allowed.

I was able to overcome this problem by doing the following changes to the Policy-map:

I added "cxsc fail-open" this means if the model goes down the firewall will not pass the traffic through the model for inspection any more.

Initially it was "cxsc fail-close". After I did this change everything went well.

Hope this helps,

Best Regards,