cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
614
Views
0
Helpful
2
Replies

signature file updates

w951duu
Level 1
Level 1

Considering using the SSM-20 modules in our 5520's configured in an Active/Standby configuration. 

I have a question.. in 8.3 cisco did away with the need to have duplicate licenses for things like SSL VPN, is the same true for the SSM-20 signature files etc..?? or do I need to purchase two service contracts (one for each SSM in the 5520 pair)?

Thanks

2 Replies 2

rhermes
Level 7
Level 7

Unfortunately you will need to buy two IPS licenses.

Cisco never created any sort of High Availbility IPS feature. All IPS sensors are considered (and licensed as) standalone sensors. This means problems foryou if you are running an Active/Active HA of your ASA's because there is not state schronization between the two IPS Sensors (unlike in the firewalls). If you traffic is asynchronously passed out one rail and returns thru the other, your IPS sensors will miss and possibly drop packets.

- Bob

you will need to buy two IPS licenses.

Adding to Bob's reply... yes, each sensor module will need a valid, non-expired .lic license-key file installed. License-key files are tied to each sensor's unique serial number, so they are not directly interchangeable between sensors (though, the entitlement can be transferred and a new file issued for a replacement sensor in the case of an RMA, etc.).

Cisco never created any sort of High Availbility IPS feature. This means problems foryou if you are running an Active/Active HA of your ASA's because there is not state schronization between the two IPS Sensors (unlike in the firewalls). If you traffic is asynchronously passed out one rail and returns thru the other, your IPS sensors will miss and possibly drop packets.

Adding to Bob's reply... The sensor modules themselves are not aware of the ASA's Active/Standby or Active/Active situation, they each simply inspect the traffic passing through the ASA unit they are installed in. In an Active/Standby deployment, there is not really a tangible impact due to this as if/when the ASA fails over, the other sensor module (installed in the now-Active (previously-Standby) ASA) begins receiving and inspecting traffic in place of the previously "Active" module. Since the ASA itself/themselves handle traffic normalization (not the sensor modules), this design does not generally cause a "state" or "connection tracking" problem for the sensor modules.

Since the sensor modules do not replicate/synchronize their configuration (as the ASA failover pair units do), you do have to ensure the two (2) sensor modules' configuration is maintained as consistently as possible (to ensure consistent behavior in the event of an ASA failover). This is currently a manual process unless you are using CSM (Cisco Security Manager), which allows you to assign policies to your managed devices and make changes to the policies (instead of directly to each sensor device). In that situtation, CSM can deploy the policy changes to both sensor modules (and thus, you only have to make the changes once (per policy) vs. twice (per sensor)).

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: