Solved: Deploying NGIPS 4110 as IPS-ONLY in HA ?

JALALUDDEEN A A · ‎01-18-2020

Hi , As my understanding it will support in both routed and Transparent mode ?

What will be the benefits using Routed mode ? or which one should i choose ?

We are using this appliance only for IPS and will configure HA between the devices ?

Marvin Rhoads · ‎01-18-2020

You can configure a Firepower 4110 with FTD logical device in transparent mode and High Availability (HA) pair.

If you use two network modules, one can be FPR4K-NM-8X1G-F or FPR9K-NM-6X10SR-F or FPR9K-NM-6X10LR-F (fail-to-wire / hardware bypass) and the other one can be FPR4K-NM-8X10G (or use the built-in 1 Gbps copper ports).

See the configuration guide for more details on inline sets and hardware bypass module operations.

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html#id_19616

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html

View solution in original post

Abheesh Kumar · ‎01-18-2020

Hi,

The firewall mode only affects regular firewall interfaces, and not IPS-only mode.

For IPS only deployment design most probably you are deploying firewall like a “bump in the wire” . In that case as a best practice i recommend for Transparent mode. As my understanding for IPS only mode there is no addition benefit if you configure in Routed mode.

In both mode you will get Partial LINA-engine and full Snort-engine checks. Please go through the cisco doc for FTD deployments modes & Interface types.

https://www.cisco.com/c/en/us/td/docs/security/firepower/620/configuration/guide/fpmc-config-guide-v62/transparent_or_routed_firewall_mode_for_firepower_threat_defense.html#ID-2106-00000008

https://www.cisco.com/c/en/us/support/docs/security/firepower-ngfw/200924-configuring-firepower-threat-defense-int.html

Hope This Helps

Abheesh

JALALUDDEEN A A · ‎01-18-2020

Hi Abheesh Kumar,

Thanks for the response.

So we can configure Active Passive HA in Transparent mode right ?

We might have needed 4 inline Pair to inspect different networks.(Include DMZ , Inside,DC traffic )

Can we have 3 inline pair with Bypass mode and 1 inline pair without bypass (Fail-to-wire) in a same NGIPS 4110.

Because we have only 6-port Bypass (Fail-to-wire) in Devices

Marvin Rhoads · ‎01-18-2020

You can configure a Firepower 4110 with FTD logical device in transparent mode and High Availability (HA) pair.

If you use two network modules, one can be FPR4K-NM-8X1G-F or FPR9K-NM-6X10SR-F or FPR9K-NM-6X10LR-F (fail-to-wire / hardware bypass) and the other one can be FPR4K-NM-8X10G (or use the built-in 1 Gbps copper ports).

See the configuration guide for more details on inline sets and hardware bypass module operations.

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html#id_19616

https://www.cisco.com/c/en/us/td/docs/security/firepower/650/configuration/guide/fpmc-config-guide-v65/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html

JALALUDDEEN A A · ‎01-19-2020

Hi @Marvin Rhoads ,

Thanks for the response,

can we use both FPR4K-NM-8X1G-F & FPR9K-NM-6X10SR-F module inorder to get total 7(4+3) Pair inline set (Fail to fire right ) and built in 8*10 G for Management and HA connection ?

One more clarification :

If one of the interface is down in Fail-to-wire - Will ngips trigger HA and traffic will go through second NGIPS right ?

If one NGIPS is completely down , traffic is still pass through NGIPS with Fail-to-wire with uninspected right ? or will it trigger HA and second NGIPS should take over ?

can you please clarify the HA and fail-to-wire scenario

Marvin Rhoads · ‎01-20-2020

Yes in theory you can use two FTW Netmods as you described and also have the built-in non-FTW interfaces available. It would be a very expensive build though since those netmods are quite expensive. In practice you would probably be oversubscribing the appliance's throughput capability if you have a significant amount of traffic flowing through those multiple interfaces.

If you have an HA pair or cluster failure of an interface will generally trigger failover to the unit without a failed interface (unless you've excluded the interface from monitoring in the HA setup or done something like set a threshold for the number of interface that must go down before triggering failover).

If you had only a single appliance with FTW net mods, failure of the device (including complete power failure) will allow traffic to continue to pass through the FTW interface pairs.