The FTW (Fail-To-Wire) module and the FTD (Firepower Threat Defense) devices have several functions that address failover and high availability scenarios. lets look at your questions.

Fail-To-Wire(FTW) and Propagate Links, When you enable Propagate Links on an inline pair, it ensures that if one interface of the pair goes down, the other interface will also go down. This helps in maintaining the integrity of the inline deployment.

FTW in this scenario: FTW is a hardware-based failover mechanism that ensures network traffic continuity in case of a failure. If your inline pair interfaces go down due to a connected device failure, FTW can kick in to bridge the interfaces at the hardware level, allowing traffic to continue passing through without inspection until the FTD device recovers.

Acitve-Standyby Modes VS Standalone Mode with FTW

In a deployment where high availability and minimal downtime are crucial/critical, an Active-Standby setup is generally preferred over a standalone setup with FTW. Here’s why

Active-Standby HA in IPS-mode: This setup provides redundancy. If the active device fails, the standby device takes over, ensuring continuous traffic inspection and security enforcement.

Standalone with FTW: While FTW provides hardware-level failover, it does not offer the same level of redundancy as an Active-Standby pair. In an FTW scenario, during a failover, the traffic is not inspected until the device recovers, which might pose a security risk.

My Recommendation: Active-Standby HA is better than standalone with FTW for IPS-mode because it provides seamless failover with continuous security inspection.

FTD inline set (IPS-mode) Between OSPF Devices

When using FTD in inline-set (IPS-mode) between two OSPF-enabled devices, the following considerations apply:

-OSPF Peering: The FTD in IPS-mode can transparently pass OSPF traffic between the two devices. OSPF, being a routing protocol, typically uses multicast or unicast to establish and maintain neighbor relationships. The IPS-mode inspects traffic but does not alter the OSPF packets in a way that would prevent peering.

-Traffic Inspection: The inline set will inspect the OSPF packets as part of its normal operation, but it should not block or interfere with OSPF neighbor establishment unless specific policies are configured to do so.

To-Summaries: Yes, you can peer the two OSPF-enabled devices via OSPF with an FTD in inline-set (IPS-mode) between them, as the FTD should transparently pass the OSPF traffic and allow neighbor relationships to form and operate correctly.

In-a nutshell

- FTW will run in the scenario where you have an inline pair with Propagate Links enabled, helping maintain traffic flow.

-An Active-Standby HA setup is generally better than standalone with FTW, especially in IPS-mode, for continuous traffic inspection and minimal downtime.

-OSPF peering will work with FTD in inline-set (IPS-mode) between the OSPF-enabled devices, as the FTD will allow OSPF traffic to pass through and establish neighbor relationships.