06-12-2014 07:54 AM - edited 03-11-2019 09:19 PM
I am going to install ASA5525-X Firewall in HA mode and both have Software IPS modules and I was wondering how the management IP address will be configured in HA mode.
Is both IPS will have same management IP address?
I looking for some sample config for IPS management IP address configuration in HA mode.
Thanks,
Solved! Go to Solution.
06-12-2014 01:15 PM
If you haven't seen it already, please review the ASA IPS Module Quick Start Guide.
The management of software IPS modules uses the physical management interface of the 5525-X with an IP address that is specified in the setup of the IPS module. This is distinct from any management address you may have setup in the base ASA.
Each IPS will have its own unique IP address.
The IPS modules themselves are not HA-aware and are essentially managed as two independent units. This improves if you move to the NGFW IPS and manage the unit via PRSM on an external server. In that scenario, the HA pair of IPS's are managed as a collective entity
The base ASAs of course share the service policy used to redirect traffic for IPS inspection and (when the service-policy calls for IPS module inspection) also verifies the operational state of the IPS modules as one of the checks done to validate failover status.
06-12-2014 08:44 AM
There should not be any big difference in configuration for management. Even in normal scenario we can have the management access through both the active and stand by IP addresses to the respective devices. All it happens with mac address that uses when it is configured in failover mode.
Hope this helps
Regards
Karthik
06-12-2014 01:15 PM
If you haven't seen it already, please review the ASA IPS Module Quick Start Guide.
The management of software IPS modules uses the physical management interface of the 5525-X with an IP address that is specified in the setup of the IPS module. This is distinct from any management address you may have setup in the base ASA.
Each IPS will have its own unique IP address.
The IPS modules themselves are not HA-aware and are essentially managed as two independent units. This improves if you move to the NGFW IPS and manage the unit via PRSM on an external server. In that scenario, the HA pair of IPS's are managed as a collective entity
The base ASAs of course share the service policy used to redirect traffic for IPS inspection and (when the service-policy calls for IPS module inspection) also verifies the operational state of the IPS modules as one of the checks done to validate failover status.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide