Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
998
Views
0
Helpful
2
Replies

IPS Advice...

tbrendle
Level 1
Level 1

‎07-30-2013 04:28 PM - edited ‎03-10-2019 06:01 AM

Our company is looking at an IPS solution and I've heard pros and cons about using IPS modules for the ASAs versus standalone units.  Our basic physical topology is a 5515 pair in active/standby w/ a L2L vpn to another fw pair at a colo. 

I had worked with them years ago and remember some issue about the modules not knowing if the ASA changed from active to standby or back.  I can't remember exactly what the issue was, but it seemed to be a real pain.

For those with plenty of experience with both solutions, would you recommend the ASA modules or the standalone units?

Labels:
0 Helpful
2 Replies 2

jp.senior
Level 1
Level 1

‎07-30-2013 07:43 PM

The built in units cause too many failovers of production environments based on all of bugs Cisco has - when the IPS engine stops responding or becomes busy, the module is marked as 'failed' by the firewall.  This causes a failover event on the device, regardless of failopen/failclosed settings.  Cisco's recent instability on the IPS module would have me encourage you to look at an alternative topology - external IPS are a better bet.

0 Helpful

JonPBerbee
Level 1
Level 1

‎07-31-2013 07:39 AM

We manage several customers that have IPS running on ASA's configured in active/standby mode. The active IPS unit is always in the active ASA so when there is a failover the active IPS be the sensor running on the new active ASA. A failure in the IPS modue of the active ASA will cause a failover event to trigger.

As jp.senior noted there have been somewhat recent issues with signatures causing the IPS units to crash and in light of that we have a policy to update the active unit to the most recent signature ASAP and only upgrade the standby IPS after the signature proves stable for 5 days. This way we always have an IPS sensor that is capable of running stable in the event of a problem signature.

So, if it is critical for your organization to not have a failover during business hours then you may want to go with a standalone unit. The standalone units cost a ton more than they used so you'll have to take that into account in your decision.

Jon.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card