I have two ASA firewalls in active/standby failover, both firewalls have an IPS module in them. I actually have them plugged into MARS as two modules, sitting in a single firewall. Obviously MARS can only speak with one of them at a time, because the Standby IPS is physically sitting in a different hardware device, untill failover occours.
It works, but I have always wondered what is the actual "CISCO" way for configuring this device reporting in MARS. Today, I actually found the CISCO documentation that indicates the correct method for adding these devices in MARS.
While this is true for the actual firewalls, it is not true for AIP-SSM modules. AIP-SSM modules do not swap IP addresses in the event of a failover. Therefore, to ensure that MARS receives uninterrupted IPS event data, you must configure both the primary and secondary AIP-SSM modules as child modules of the same ASA device that represents the Active/Standby pair. In this configuration, MARS will likely generate "Inactive Reporting Device" messages on the hour for the non-active AIP-SSM module. view here
No comments:
Post a Comment