07-30-2013 04:28 PM - edited 03-10-2019 06:01 AM
Our company is looking at an IPS solution and I've heard pros and cons about using IPS modules for the ASAs versus standalone units. Our basic physical topology is a 5515 pair in active/standby w/ a L2L vpn to another fw pair at a colo.
I had worked with them years ago and remember some issue about the modules not knowing if the ASA changed from active to standby or back. I can't remember exactly what the issue was, but it seemed to be a real pain.
For those with plenty of experience with both solutions, would you recommend the ASA modules or the standalone units?
07-30-2013 07:43 PM
The built in units cause too many failovers of production environments based on all of bugs Cisco has - when the IPS engine stops responding or becomes busy, the module is marked as 'failed' by the firewall. This causes a failover event on the device, regardless of failopen/failclosed settings. Cisco's recent instability on the IPS module would have me encourage you to look at an alternative topology - external IPS are a better bet.
07-31-2013 07:39 AM
We manage several customers that have IPS running on ASA's configured in active/standby mode. The active IPS unit is always in the active ASA so when there is a failover the active IPS be the sensor running on the new active ASA. A failure in the IPS modue of the active ASA will cause a failover event to trigger.
As jp.senior noted there have been somewhat recent issues with signatures causing the IPS units to crash and in light of that we have a policy to update the active unit to the most recent signature ASAP and only upgrade the standby IPS after the signature proves stable for 5 days. This way we always have an IPS sensor that is capable of running stable in the event of a problem signature.
So, if it is critical for your organization to not have a failover during business hours then you may want to go with a standalone unit. The standalone units cost a ton more than they used so you'll have to take that into account in your decision.
Jon.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide