cancel
Showing results for 
Search instead for 
Did you mean: 
cancel

AIP-SSM bypass Mode vs. fail-open/fail-closed

3774
Views
0
Helpful
0
Comments

fail-open and fail-closed

The fail-open and fail-closed options on the ASA  have no hand in the sensor's bypass mechanism. These configuration  arguments only determine what the ASA will do if the AIP is not at all  available via software (ie. it is in the Reset or Shutdown state). If  the AIP-SSM is available, but sensorApp is down, the fail-open and fail-closed ASA configuration arguments are ignored and the sensor's  own bypass configuration determines traffic flow.

There are several conditions that could result in wanting to enable/disable bypass on the sensor itself, but  none of them include altering the configuration to bypass the sensor for testing  purposes. For testing, it would be more efficient to  remove/add the traffic flows to the service-policy on the ASA.

Failure types and configuration choices

sensorApp failure:

If you want the traffic to always be dropped when the sensorApp fails, set bypass to off.
If you want the traffic to always be passed when sensorApp fails, leave bypass set to auto.
If you want the traffic to bypass the sensor inspection, alter the policy-map rather than set bypass to on.

SSM going into shutdown or reset state:

If you want the traffic to always be dropped when the SSM goes into shutdown or reset state, configure the ASA to fail-closed.
If you want the traffic to always be passed when the SSM goes into shutdown or reset state, configure the ASA to fail-open.