Solved: thank you Karsten

engahmedsaied · ‎01-19-2016

hello all,

I face a problem when IPS fail all network behind it be not accessible,

so how can I check capability of box to support both

1-hardware bypass.

2-software bypass.

Karsten Iwen · ‎01-19-2016

There is no HW-bypass on the 4500 as far as I know. But you can use software-bypass:

http://www.cisco.com/c/en/us/td/docs/security/ips/7-2/configuration/guide/idm/idmguide72/idm_interfaces.html#pgfId-1169786

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

View solution in original post

Karsten Iwen · ‎01-19-2016

1) Which platform are you using? Not all support HW-bypass. You should find the needed information in the Data-Sheet of your platform.

2) In the configuration of you system. And that is (again) dependent of the platform you use.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

engahmedsaied · ‎01-19-2016

cisco IPS 4510 - 7.3(4)E4

is show tech-support command is useful ?

I have found that below every interface "hardware bypass capable = NO"

Is this tells that interface not supported in hardware bypass or hardware not set to that interface

Karsten Iwen · ‎01-19-2016

There is no HW-bypass on the 4500 as far as I know. But you can use software-bypass:

http://www.cisco.com/c/en/us/td/docs/security/ips/7-2/configuration/guide/idm/idmguide72/idm_interfaces.html#pgfId-1169786

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

engahmedsaied · ‎01-19-2016

thank you Karsten

last question in case of software bypass it can work on interface vlan pair ?

or require interface pair or this doesn't matter in case of software bypass

I know that software bypass will work in case of service engine stopped but if device rebooted due to time changing or anything will it work ?

Karsten Iwen · ‎01-19-2016

Yes, it works with vlan pairs. But be aware that the usecase for software bypass is a situation where the software still has full control of the system. If the signatures are updated, bypass can be used to make sure that no traffic is dropped.

But in every situation where the software doesn't have any control, software bypass can't work. That includes software-updates where the sensor reboots of failed/crashed IPS-software.

--
If you found this post helpful, please give it Kudos. If my answer solves your problem, please click Accept as Solution so others can benefit from it.

abdallah malas · ‎01-21-2016

Hello,

I had a similar situation where I had a CX Module + Cisco Prime Security Manager with Next Generation IPS.

At the beginning when the CX Module Fails (IPS) no traffic is allowed.

I was able to overcome this problem by doing the following changes to the Policy-map:

I added "cxsc fail-open" this means if the model goes down the firewall will not pass the traffic through the model for inspection any more.

Initially it was "cxsc fail-close". After I did this change everything went well.

Hope this helps,

Best Regards,