cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

1558
Views
15
Helpful
5
Replies
JALALUDDEEN A A
Beginner

Deploying NGIPS 4110 as IPS-ONLY in HA ?

Hi , As my understanding it will support in both routed and Transparent mode ?

What will be the benefits using Routed mode ? or which one should i choose ?

 

We are using  this appliance only for IPS and will configure HA between the devices ?

 

#ngips @sandeepcciesec  #NGIPS4110 

 

1 ACCEPTED SOLUTION

Accepted Solutions

You can configure a Firepower 4110 with FTD logical device in transparent mode and High Availability (HA) pair.

If you use two network modules, one can be FPR4K-NM-8X1G-F or FPR9K-NM-6X10SR-F or FPR9K-NM-6X10LR-F (fail-to-wire / hardware bypass) and the other one can be FPR4K-NM-8X10G (or use the built-in 1 Gbps copper ports).

See the configuration guide for more details on inline sets and hardware bypass module operations.

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html#id_19616

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html

View solution in original post

5 REPLIES 5
Abheesh Kumar
Rising star

Hi,

The firewall mode only affects regular firewall interfaces, and not IPS-only mode.

For IPS only deployment design most probably you are deploying firewall like a “bump in the wire” . In that case as a best practice i recommend for Transparent mode. As my understanding for IPS only mode there is no addition benefit if you configure in Routed mode. 

In both mode you will get Partial LINA-engine and full Snort-engine checks. Please go through the cisco doc for FTD deployments modes & Interface types.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html#ID-2106-00000008

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html

Hope This Helps

Abheesh

Hi Abheesh Kumar,

 

Thanks for the response.

 

So we can configure Active Passive HA  in Transparent mode right ?

 

We might have needed 4 inline Pair to inspect different networks.(Include DMZ , Inside,DC traffic )

 

Can we have 3 inline pair with Bypass mode and 1 inline pair without bypass (Fail-to-wire) in a same NGIPS 4110.

 

Because we have only 6-port Bypass (Fail-to-wire) in Devices

You can configure a Firepower 4110 with FTD logical device in transparent mode and High Availability (HA) pair.

If you use two network modules, one can be FPR4K-NM-8X1G-F or FPR9K-NM-6X10SR-F or FPR9K-NM-6X10LR-F (fail-to-wire / hardware bypass) and the other one can be FPR4K-NM-8X10G (or use the built-in 1 Gbps copper ports).

See the configuration guide for more details on inline sets and hardware bypass module operations.

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html#id_19616

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html

Hi @Marvin Rhoads ,

 

Thanks for the  response,

can  we use  both FPR4K-NM-8X1G-F & FPR9K-NM-6X10SR-F module inorder to get total 7(4+3) Pair inline set (Fail to fire right ) and built in 8*10 G for Management and HA connection ? 

 

One more clarification :

If one of the interface is down in Fail-to-wire - Will ngips trigger HA and traffic will go through second NGIPS right ?

If  one NGIPS is completely down , traffic is still pass through NGIPS with Fail-to-wire with uninspected right ? or will it trigger HA and second NGIPS should take over ?

 

can you please clarify the HA and fail-to-wire scenario

 

 

Yes in theory you can use two FTW Netmods as you described and also have the built-in non-FTW interfaces available. It would be a very expensive build though since those netmods are quite expensive. In practice you would probably be oversubscribing the appliance's throughput capability if you have a significant amount of traffic flowing through those multiple interfaces.

If you have an HA pair or cluster failure of an interface will generally trigger failover to the unit without a failed interface (unless you've excluded the interface from monitoring in the HA setup or done something like set a threshold for the number of interface that must go down before triggering failover).

If you had only a single appliance with FTW net mods, failure of the device (including complete power failure) will allow traffic to continue to pass through the FTW interface pairs.

Create
Recognize Your Peers
Content for Community-Ad