Solved: FirePOWER 4140 Inline Set - Fail-Open Question

reheindel · ‎03-27-2020

If a FirePOWER 4140/FTD is configured with an inline-set/pair of interfaces - and also configured for "Fail-open for Snort" & "Fail-open for Snort Busy" to OFF - is there any traffic that will be able to be leaked across the inline pair when Snort is down/slow?

I have some tap infrastructure that utilizes arp to send traffic to the FirePOWER and if it sees the arp come back in (made it through FirePOWER) then it deems FirePOWER up - otherwise it will flip to bypass and go around the FirePOWER.

Thanks in advance for any info

B

Marvin Rhoads · ‎03-27-2020

It depends whether the traffic in question has an IPS policy associated with it. For instance, if it hits a prefilter Trust action it will never be inspected by Snort - no matter the state and settings for Snort failure.

View solution in original post

Marvin Rhoads · ‎03-27-2020

It depends whether the traffic in question has an IPS policy associated with it. For instance, if it hits a prefilter Trust action it will never be inspected by Snort - no matter the state and settings for Snort failure.

reheindel · ‎03-30-2020

Thanks very much for the reply Marvin, sounds like it's time for a TAC case.

Bob

reheindel · ‎04-03-2020

Just as a follow-up to our problem and outcome:

The tap infrastructure utilizes ARP packets for health checks by default

In working with TAC it was determined that ARP is not punted to Snort - it's forwarded by Lina in/out of the inline set.

When fail-open is set to disabled - a Snort down/busy condition will cause a black-holing of traffic because the TAP infrastructure is getting the ARP packet back and continues to happily sent the traffic to the FirePOWER - who blocks due to the fail-open disabled configuration

A recommendation was to configure the TAP infrastructure to utilize ICMP for heart beating through the inline set - as ICMP does get punted to Snort