03-27-2020 12:42 PM
If a FirePOWER 4140/FTD is configured with an inline-set/pair of interfaces - and also configured for "Fail-open for Snort" & "Fail-open for Snort Busy" to OFF - is there any traffic that will be able to be leaked across the inline pair when Snort is down/slow?
I have some tap infrastructure that utilizes arp to send traffic to the FirePOWER and if it sees the arp come back in (made it through FirePOWER) then it deems FirePOWER up - otherwise it will flip to bypass and go around the FirePOWER.
Thanks in advance for any info
B
Solved! Go to Solution.
03-27-2020 08:52 PM
It depends whether the traffic in question has an IPS policy associated with it. For instance, if it hits a prefilter Trust action it will never be inspected by Snort - no matter the state and settings for Snort failure.
03-27-2020 08:52 PM
It depends whether the traffic in question has an IPS policy associated with it. For instance, if it hits a prefilter Trust action it will never be inspected by Snort - no matter the state and settings for Snort failure.
03-30-2020 01:12 PM
Thanks very much for the reply Marvin, sounds like it's time for a TAC case.
Bob
04-03-2020 09:23 AM
Just as a follow-up to our problem and outcome:
The tap infrastructure utilizes ARP packets for health checks by default
In working with TAC it was determined that ARP is not punted to Snort - it's forwarded by Lina in/out of the inline set.
When fail-open is set to disabled - a Snort down/busy condition will cause a black-holing of traffic because the TAP infrastructure is getting the ARP packet back and continues to happily sent the traffic to the FirePOWER - who blocks due to the fail-open disabled configuration
A recommendation was to configure the TAP infrastructure to utilize ICMP for heart beating through the inline set - as ICMP does get punted to Snort
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide