https://community.cisco.com/t5/network-security/ips-4240-fail-open/m-p/1609931#M65651 <HTML><HEAD></HEAD><BODY><P>Hi Jeniffer,</P><P>Thanks for your prompt response. Do you mean to say that if i put the IPS in inline mode &amp; having a single unit, i do have a option of passing traffic if the unit itself goes down?</P><P></P><P></P><P>Thanks</P><P>Pratik</P></BODY></HTML> Mon, 14 Feb 2011 08:33:26 GMT pratik_193 2011-02-14T08:33:26Z https://community.cisco.com/t5/network-security/ips-4240-fail-open/m-p/1609929#M65647 <P>Hi All,</P><P>I have a single unit of IPS 4240. I want to know if my sensor or the unit itself fails/shutdowns, is there any option where in my traffic will be passed so that there is no downtime.</P><P></P><P></P><P>Thanks</P><P>Pratik</P> Sun, 10 Mar 2019 12:16:06 GMT https://community.cisco.com/t5/network-security/ips-4240-fail-open/m-p/1609929#M65647 pratik_193 2019-03-10T12:16:06Z https://community.cisco.com/t5/network-security/ips-4240-fail-open/m-p/1609930#M65649 <HTML><HEAD></HEAD><BODY><P>You can configure the sensor when it's inline mode with inline-bypass mode "auto" so when the unit fails, it will just pass through the traffic without inspecting it, however, if the sensor is completely shutdown, then no, traffic will be dropped when it's in inline mode.</P><P></P><P>Here is more information on inline bypass mode:</P><P><A class="jive-link-external-small" href="http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047079">http://www.cisco.com/en/US/docs/security/ips/7.0/configuration/guide/cli/cli_interfaces.html#wp1047079</A></P><P></P><P>However, if it's in promiscious mode, then you don't have to worry about it as the packet is not inline and will not cause interruption.</P><P></P><P>Hope that helps.</P></BODY></HTML> Mon, 14 Feb 2011 07:55:58 GMT https://community.cisco.com/t5/network-security/ips-4240-fail-open/m-p/1609930#M65649 Jennifer Halim 2011-02-14T07:55:58Z https://community.cisco.com/t5/network-security/ips-4240-fail-open/m-p/1609931#M65651 <HTML><HEAD></HEAD><BODY><P>Hi Jeniffer,</P><P>Thanks for your prompt response. Do you mean to say that if i put the IPS in inline mode &amp; having a single unit, i do have a option of passing traffic if the unit itself goes down?</P><P></P><P></P><P>Thanks</P><P>Pratik</P></BODY></HTML> Mon, 14 Feb 2011 08:33:26 GMT https://community.cisco.com/t5/network-security/ips-4240-fail-open/m-p/1609931#M65651 pratik_193 2011-02-14T08:33:26Z https://community.cisco.com/t5/network-security/ips-4240-fail-open/m-p/1609932#M65653 <HTML><HEAD></HEAD><BODY><P>If the unit is dead, the answer is NO, you can't pass traffic. However, if the unit fails due to its inspection engine not working, then yes, you can pass traffic</P><P> like passing traffic through wire (via the IPS).</P></BODY></HTML> Mon, 14 Feb 2011 08:39:43 GMT https://community.cisco.com/t5/network-security/ips-4240-fail-open/m-p/1609932#M65653 Jennifer Halim 2011-02-14T08:39:43Z https://community.cisco.com/t5/network-security/ips-4240-fail-open/m-p/1609933#M65655 <HTML><HEAD></HEAD><BODY><P>The sensor has to partially fail in order for it's failopen to work (it has to be sane enough to realize the sensor app has crashed then inact the failopen routine). To protect yourself form the inevitable sensor crash, hardware failure, reboot after update I would suggest you obtain an external FailOpen switch, or make one from an existing switch you have. <BR />STP can be use to fail around a downed sensor nicely.</P><P></P><P>- Bob</P></BODY></HTML> Mon, 14 Feb 2011 19:51:25 GMT https://community.cisco.com/t5/network-security/ips-4240-fail-open/m-p/1609933#M65655 rhermes 2011-02-14T19:51:25Z