Solved: IPS fail-open for FTD

tato386 · ‎07-18-2023

ASA with FirePower had a "fail open/close" setting to control access in case of SFR module failure. From what I can tell, with an FTD device the IPS function is integrated into the firewall (LINA?) so is this setting NA in the FTD environment?

Thanks,

Diego

Marvin Rhoads · ‎07-19-2023

It is mostly not applicable with the exception of the optional network module that is available for some models that offers fail-to-wire capability. Very few customers opt for those since they are quite expensive and only available for appliance that offer a network module expansion slot.

View solution in original post

Marvin Rhoads · ‎07-19-2023

It is mostly not applicable with the exception of the optional network module that is available for some models that offers fail-to-wire capability. Very few customers opt for those since they are quite expensive and only available for appliance that offer a network module expansion slot.

MHM Cisco World · ‎07-19-2023

https://www.cisco.com/c/en/us/td/docs/security/firepower/630/configuration/guide/fpmc-config-guide-v63/inline_sets_and_passive_interfaces_for_firepower_threat_defense.html

Yes I think you can config failed open/closed in ftd

Check link above

Marvin Rhoads · ‎07-19-2023

Note the IPS-only mode for which you can do Snort fail open in software is not the mode 98% of customers are running.

IPS fail-open for FTD

FTD : インラインペアの導入例と設定方法（IPSモード）

Fail-open & Fail-close explanation

Secure Access: Network Tunnel Groupの接続におけるFTDのECMP設定例

Cisco Secure Firewall (FTD) - How To

FTD Snort Fail Open