Re: CS-MARS with ASA failover pair and IPS

m.reay · ‎06-24-2007

Hi.

Has anyone implemented CS-MARS with ASA in active/standby, each with IPS modules?

What is the procedure for adding the devices to CS-MARS - do I define each box separately -(remember the active and standby both have the same name) or do I just define one ASA using the failover address?

Any reccommendations would be welcome,

regards

Mick.

joemarr_brodart · ‎06-24-2007

I?ve asked this question before but never really received a response. So what I'm about to say is based only on my experience.

I added only the active firewall, and then added each IPS blade as a module to the active firewall.

The only drawback is that MARS does not seem to acknowledge failover capabilities. I say this because only one IPS blade (obviously)generates alerts, so the second blade will cause MARS generate an Inactive CS-MARS reporting device event.

m.reay · ‎06-24-2007

Thanks for the reply.

That is exactly the way I set it up - Active ASA with both modules defined in the active device.

About the second module not generating alarms - I wouldn't expect it to whilst it was in standby mode as it wouldn't be passing traffic.

When the ASA fails over - the second module should then start to generate alerts.

andrew.burns · ‎06-25-2007

Hi Mick,

I answered this question a while back, see this post:

http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=Intrusion%20Prevention%20Systems/IDS&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40%5E1%40%40.1ddb520d/4#selected_message

HTH

Andrew.

m.reay · ‎06-25-2007

Hi Andrew - thanks for replying.

I actually added the ASA using the active addresses and added both of the IPS devices as modules of the ASA rather than as separate devices.

This seems to work fine - can you see any problem doing it this way?

Thanks and regards

Mick.

andrew.burns · ‎06-25-2007

Hi Mick,

That should work fine - as far as I can tell MARS doesn't care whether the IPS modules are internal or external. I tried it both ways and couldn't see any difference in functionality.

HTH

Andrew.