Active Fail-Open Kit Quick Start Guide Revision B McAfee Network Security Platform McAfee Network Security Platform IPS Sensors, when deployed in-line, route all incoming traffic through a designated port pair. However, at times a Sensor might need to be turned off for maintenance or its ports can go down because of an outage. At times like this, you might want to continue allowing traffic to pass through without interruption. For such requirements, you can consider an external device called a fail-open switch. The fail-open switch can either be an active fail-open switch or a passive fail-open switch. An active fail-open switch constantly monitors Sensor state. It does this by sending a heartbeat signal through its ports. The heartbeat signal is sent through the one of the Monitor ports and received through the other, indicating that the Sensor is functioning normally. The table below shows you the various models of active fail-open switches. Fail-open switch SKU NS-9x00 NS-7x00 M-8000, M-6050 M-4050, M-3050 M-2950, M-2850 Active-Fiber (850 nm) IAC-AF85010- Yes Yes Yes Yes No IAC-AF131010- Yes Yes Yes Yes No Yes Yes Yes Yes Yes IAC-AF131085- Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes Yes KT1 10G (62.5 µm) Active-Fiber (1310 nm) KT1 10G (8.5 µm) Active-Fiber (850 nm) IAC-AF85062KT1 1G (62.5 µm) Active-Fiber (1310 nm) KT1 1G (8.5 µm) Active-Copper IAC-AFOCG- 10/100/1000 module KT2 Active Fail-Open IAC-AFOCH- Chassis KT2 1 You must also make sure you have the requisite SFP/SFP+'s, or XFPs when making this choice. Fiber fail-open switches consist of two types: single mode and multi-mode fibers. The table below gives you some relevant details about both types of fiber optic fail-open switches. This is especially relevant because you must determine the type of fiber that is used your organization network before you decide which type of fail-open switch to use. Also, all product documentation for fail-open kits and decals on the fail-open switches will repeatedly refer to these parameters. The table below shows you the differences between single-mode and multi-mode fiber specifications. Type Fiber thickness Wavelength range Single mode (Long reach) 8.5 µm 1300 nm to 1550 nm Multi-mode (Short reach) 50 µm or 62.5 µm 850 nm to 1300 nm For more details about fail-open kits, refer the chapter, Fail-Open operation in Sensors in the McAfee Network Security Platform IPS Administration Guide. Since this Quick Start Guide will make references to information associated with that chapter, it will help to keep a copy of it easily accessible before you begin installing and configuring your fail-open switch. Working To begin with, the Sensor and the fail-open switch need to be appropriately cabled with each other. The Sensor ports are then configured for fail-open operation. For more details about configuring Sensor monitoring ports, refer to the section, Configure Sensor Monitoring Ports on page 9. After connecting and configuring the Sensor and fail-open switch, the switch begins to send a heartbeat signal to the Sensor. Each heartbeat signal, once sent, returns from the Sensor to the fail-open switch. When the fail-open switch does not receive this response from the Sensor for a specified period, the switch removes the Sensor from the data path and begins to route traffic to the network through its own ports. A 1G fiber or a Copper fail-open switch sends a heartbeat signal every second. When the fail-open switch does not receive a response for 3 seconds, it changes its working mode to "unknown" and begins to route traffic through itself. A 10G fiber fail-open switch sends a heartbeat signal every 10 milliseconds (ms). If the fail-open switch does not receive a response from the Sensor for 100 ms, it removes the Sensor from the data path and begins to route traffic through its own ports. 1 Inside the box Every fail-open kit consists of a similar set of components. Although the type of cables and the switch vary from one model to another, the list of items in the kit itself remains the same. The table below provides you the list of items. 2 Qty Item Description 1 • 10/100/1000 Copper fail-open module, or • 1G 850 nm Fiber (62.5 µm) fail-open module, or • 1G 1310 nm Fiber (8.5 µm) fail-open module, or • 10G 850 nm Fiber (62.5 µm) fail-open module, or • 10G 1310 nm Fiber (8.5 µm) fail-open module Fail-Open switch module 1 Active Fail-Open switch 1U 1RU host hardware to plug in up to four fail-open switches in a chassis for four fail-open standard rack. switches 2 Power supplies and cords for the host system One power supply acts as the primary and the other as the redundant power supply in case of a failure 4 Copper: 3m RJ-45 to RJ-45 cable Connects the fail-open switch to network devices and the Sensor. Fiber: 3m LC-LC 1 2 For a fiber fail-open kit, these cables will either be single mode or multi-mode cables depending on the requirements provided at the time of purchase. RS232 RJ-11 programming Connects the fail-open switch to a computer to access the switch cable CLI that is used to configure switch parameters. Install the active fail-open switch and chassis Before you begin • Identify the rack in which you plan to install the fail-open chassis. • If you are using a physical Sensor, make sure that you are able to physically connect the chassis with the monitoring ports. You can install up to four fail-open switches in a single chassis. You can install an active fail-open switch module in the chassis on the fly while the chassis is powered on in the rack. a Install the ears of the chassis. b Slide the switch into one of the openings in the chassis, until the face plate of the switch rests against the chassis. 3 c Secure the switch to the chassis by inserting screws provided through the holes on the fail-open switch face plate and into the panel. If you are attempting to install a switch while the chassis is powered on, you must wait for 4 seconds after inserting the switch and fastening its screws. d Place the 1U chassis against the front of a standard 19-inch rack. e Secure the chassis by inserting screws through holes on ears of the chassis (refer the Before you begin instructions for this section). f (Optional) Install up to three additional switches by following these steps: a Remove screws holding each of the removable blank plates from the front of the chassis. b Follow steps 1 and 2 of this procedure for installing a switch in the chassis for additional fail-open switches. The fail-open switch is ready to be connected to a Sensor. 3 Remove an active fail-open switch from the chassis Before you begin You must make sure the fail-open switch is fully powered off before you attempt to remove it from the chassis. Follow the steps in this section to power off and remove the fail-open switch. a b 4 Power off the fail-open switch using the web interface or CLI command prompt. • If you are using the web interface, click the Rescue tab and check the Power Off checkbox in the System Restore section. To access the web interface, refer Manage the fail-open switch through a web interface on page 10. • If you are using the CLI command prompt, type power_off and press Enter. To access the CLI command prompt, refer Configure fail-open switch parameters on page 7. When the fail-open switch is powered off, remove the captive screws and slide it out of the chassis. 4 Connections with the fail-open switch To accurately detect attacks, a Sensor must be aware of which traffic is outside the network and which traffic is inside. Identifying traffic direction is accomplished through the proper cabling of the fail-open switch as well as appropriate port configuration of the Sensor monitoring ports in the Manager. The switch LED indicates if traffic is passing to the Sensor. Connect the fail-open switch to network devices Callout Description 1 10/100/1000 Copper fail-open switch module 2 Connection to network device (inside) 3 Connection to network device (outside) 4 Sensor monitoring port G3/1 (inside) 5 Sensor monitoring port G3/2 (outside) 6 Sensor monitoring ports on an NS9200. The steps below provide steps for connections for both copper and fiber fail-open switches. a Plug the inside network cable connector into the Cat 5/Cat 5e/LC port, labeled Network 0 or Net 0 for copper or Network A (in a triangle) for fiber, on the fail-open switch. b Plug the other end of this cable to the corresponding network device. c Plug the outside network cable connector into the Cat 5/Cat 5e/LC port, labeled Network 1 or Net 1 for copper or Network B (in a triangle) for fiber, on the fail-open switch. d Plug the other end of this cable to the corresponding network device. The fail-open switch is now connected to network devices for the inside network and outside network. Your next step is to connect the fail-open switch to the Sensor. 5 (Either) Connect a copper fail-open switch Before you begin • You will require two Cat 5/Cat 5e Ethernet cables to connect your fail-open switch to the Sensor. • You will require two copper SFPs to be inserted into two corresponding blank ports on the Sensor. For more details about your Sensor, refer the Sensor Product Guide for the appropriate model. a Connect a Cat 5/Cat 5e Ethernet cable (inside) into the copper SFP in port Gx/a or xA, where x and a are port numbers. b Connect the other end of the cable into the labeled Port 0 on the fail-open switch. c Connect a Cat 5/Cat 5e Ethernet cable (outside) into the corresponding Gx/b or xB peer port.(For example, if you used G1/1 in step 1, plug the cable into port G1/2). d Connect the other end of the cable into the labeled Port 1 of the bypass switch. With this cable configuration, Sensor Monitoring port G1/1 views traffic as originating inside the network, and port G1/2 views traffic as originating outside the network. Note that this configuration (G1/1 = outside, G1/2 = inside) must match the port configuration specified for this Sensor, and that the ports must be configured as such. (Or) Connect a fiber fail-open switch Before you begin • You will require two LC-LC cables to connect your fail-open switch to the Sensor. • If you are connecting a 1-Gigabit fail-open switch, you will require two fiber SFPs to be inserted into two corresponding blank ports on the Sensor. • If you are connecting a 10-Gigabit fail-open switch, you will require two fiber XFP/SFP +s to be inserted into two corresponding blank ports on the Sensor. For more details about the SFP/XFP/SFP+ compatible with your Sensor, refer the Sensor Product Guide for the appropriate model. a Connect an LC-LC cable into the LC receptacle of port Gx/a or xA, where x and a are the corresponding 1-Gigabit or 10-Gigabit port numbers. b Connect the other end of the LC cable into the LC receptacle labeled Monitor A of the fail-open switch. c Connect an LC-LC cable into the corresponding Gx/b or xB peer port. (For example, if you used G1/3 in step 1, plug the cable into port G1/4). d Connect the other end of this cable into the port labeled Monitor B of the fail-open switch. With this cable configuration, Sensor Monitoring port G1/3 views traffic as originating inside the network, and port G1/4 views traffic as originating outside the network. Note that this configuration 6 (G1/3 = outside, G1/4 = inside) must match the port configuration specified for this Sensor, and that the ports must be configured as such. 5 Configure fail-open switch parameters You can configure various parameters on your fail-open switch. All configuration options, status, and statistics are accessible from the fail-open switch Command Line Interface (CLI). After you have configured basic network settings – IP address, gateway, and subnet mask – you will be able to access the fail-open switch through SSH. SSH is enabled on every fail-open switch by default and can be disabled through the CLI. Your fail-open switch only supports IPv4 addresses. The steps below explain the configuration of parameters for your fail-open switch. a Connect an RJ-11 cable to the front of the module. b Connect the other end to a computer running a terminal emulation software such as HyperTerminal or PuTTY. c Launch the terminal emulation software, and set the communications parameters as shown below: • Baud rate: 9600 It is recommended not to alter the baud rate of the Management port. d • Data bits: 8 • Parity: None • Stop bits: 1 • Flow control: None Power up the fail-open switch. The CLI banner and login prompt appear. e At the login prompt, type McAfee00 and press Enter. f At the password prompt, type McAfee00 and press Enter. The fail-open switch CLI prompt appears. g Configure or modify parameters related to fail-open switch access and its ports using the commands listed. 7 Command Description set_ip xxx.xxx.xxx.xxx Configures fail-open switch IPv4 address. Reboot the fail-open switch for the new IPv4 address to take effect. set_netmask xxx.xxx.xxx.xxx Configures fail-open switch subnet mask. set_gateway xxx.xxx.xxx.xxx Configures default gateway IPv4 address. Reboot the fail-open switch for the new subnet mask to take effect. Reboot the fail-open switch for the new gateway IPv4 address to take effect. set_link <port> <on/ off> Sets the port of a 1G Copper fail-open switch to auto-negotiate. set_link <port> off fd 100m Sets the port to 100 Mbps full-duplex. set_link <port> <enable/ disable>_autoneg Sets the port of a 1G Fiber fail-open switch to auto-negotiate. For the <port> use mon0, mon1, net0, or net1. For the <port> use the syntaxes specified above. For the <port> use mon0, mon1, net0, or net1. 10G Fiber fail-open switches do not have such a command since auto-negotiate is enabled by default. h Configure or modify parameters for other settings of the fail-open switch using these commands. Command Description set_ssh_state <on/off> Enables or disables the SSH status on the fail-open switch. set_web_https_state <on/ off> Enables or disables web access to the fail-open switch interface. set_snmp_srv_ip Configures SNMP server IPv4 address. The SNMP server IPv4 address can also be set in the web interface. set_trap <parameter> <on/ off> i 8 Enables or disables the following SNMP traps: • appl fail – Application state change. • net link – Network port state change trap. • bypass – Bypass state change trap. • error – Error notification trap. • mon link – Monitoring port state change trap. • update – Update complete trap. View essential fail-open switch parameters using the commands listed. If your fail-open switch parameters have never been configured before, you will see factory settings. Command Description get_ip Displays fail-open switch IPv4 address. get_netmask Displays fail-open switch subnet mask. get_gateway Displays default gateway address. get_ssh_state Displays the SSH status, which is enabled by default. get_snmp_srv_ip Displays the SNMP server IPv4 address. get_params Displays fail-open switch parameters. get_web_https_state Displays status of web access to the fail-open switch interface. get_link <port> Displays port status. For the <port> use mon0, mon1, net0, or net1. 6 Configure Sensor Monitoring Ports Before you begin • The Sensor must be set up with trust established with a Manager server. • The Sensor has a free port pair which can be deployed in in-line fail-open mode. • It is assumed that you have inserted necessary transceiver modules into the Sensor if you have completed cabling the Sensor and fail-open switch. When you set up a Sensor for the first time, its ports are disabled by default. The Sensor ports must be manually configured for in-line fail-open operation. a In the Manager, go to Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical Ports. b Double-click port one of the configurable ports, say G2/1. A configuration panel appears on the right side of the window. c Click the State drop-down and select Enabled. You are asked whether you want to proceed since this configuration will also impact port G2/2. d Click Yes to proceed. This enables port G2/1-G2/2. e Select the Auto Negotiate checkbox and make sure the Speed (Duplex) is set to 1 Gbps (Full). f Click the Mode drop-down and select In-line Fail-Open – Active. g Click the Placement drop-down and select Inside Network or Outside Network, depending on how you want to configure your ports. 9 McAfee recommends choosing Gx/1 or xA as Inside Network and Gx/2 or xB as Outside Network. h Click Save. The Sensor and fail-open switch are setup. When traffic passes through the ports, you will notice the port link status changes to Up and turns green. 7 Manage the fail-open switch through a web interface If you have configured an IPv4 address for your fail-open switch, you have the option to manage your fail-open switch through a web-interface. a To access the fail-open switch web interface, enter the IPv4 address of the fail-open switch which you have configured. The fail-open switch web interface appears on the log on screen. b To log on, enter the default username and password, McAfee00 and McAfee00. You are routed to the fail-open web interface landing page which shows you information about the present settings configured in the fail-open switch. Configuration of necessary settings is explained in the relevant sections. 8 Enable tap mode for the fail-open switch Before you begin • Configure an IPv4 address for your fail-open switch. • Make sure you can access the fail-open switch web-interface using a web browser. You are able to enable tap mode for your active fail-open switch if you use a tap to route network traffic to the Sensor Monitoring ports. a 10 Log on to the web interface of the active fail-open switch. Use default credentials to access the web interface. For more information about the web interface refer Fail-Open switch web interface. b Click the Bypass tab to access the Bypass configuration page. c Click the HB active mode drop down menu and select Off. d In the Active bypass section, select tap. e Click Apply to save your configuration. You have set your active fail-open to tap mode of operation. Return from tap mode to inline mode a Click the Bypass tab to access the bypass configuration page. b Click the HB Active mode drop-down menu and select On. c Click Apply to save your configuration. You have reconfigured your fail-open switch to run in inline mode of operation. 9 Configure notification by SNMP traps Before you begin • To configure SNMP traps, you will require a server that will act as an SNMP server. The SNMP server can be any Windows or Linux system installed with an MIB browser such as iReasoning. • Make sure your fail-open switch IP address can be reached within the network. 11 • Make sure your SNMP server and fail-open switch are able to communicate. • In addition, you will need to obtain MIB files to decode alert codes sent by the fail-open switch. These files are specific to the fail-open switch and can be obtained by contacting Technical Support. The SNMP feature of your fail-open switch can only be used to send notifications through SNMP traps. a Connect an RJ-45 cable to the Management port at the back of the fail-open switch. b Connect the other end to a network device so that the SNMP server is reachable through the network. c Copy the fail-open switch MIB files to a suitable location on the SNMP server. d Set up the fail-open switch IP address, network mask, and SNMP manager IP address by logging on to the web interface. For details about the logging on to the web interface refer Manage the fail-open switch through a web interface on page 10. You are also able to configure various other parameters specific to SNMP traps. For details about these commands, refer Configure fail-open switch parameters on page 7. e On the web interface, click the SNMP tab. The SNMP configuration page appears. f To configure the SNMP server IPv4 address, enter it in the Server IP field. The credentials used will be the default credentials for the fail-open switch. 12 g (Optional) If you want to configure multiple SNMP accounts, in the SNMP trap account section select set from the Operations drop-down. If you do not configure additional SNMP trap accounts, all traps will be routed to the main SNMP trap account you have setup here. h Enter the IPv4 address for the other account. i (Optional) You can specify an alternate SNMPv3 password for the additional SNMP server. SNMP Community strings are used only by devices which support SNMPv1 and SNMPv2c protocols. SNMPv3 uses username and password authentication, along with an encryption key. You can configure a community string if the SNMP software you use requires you to configure one regardless of the requirements in this user-interface. j Click Apply to save your configuration. k In the SNMP server, configure these settings to enable SNMPv3 traps for the active fail-open kit. • USM user: McAfee00 • Auth password: McAfee00 • Security level: auth, priv • Privacy algorithm: AES • Auth algorithm: SHA • Privacy password: McAfee00 l Load MIB file. If you do not have the appropriate MIB file, contact McAfee Support. m Make sure the SNMP server and fail-open switch are able to communicate through the network. You have configured your active fail-open switch to send SNMP traps to an SNMP server. You are also provided the option to configure multiple SNMP trap accounts. Access the SNMP server to view triggers. 10 Verify your installation Follow these steps to make sure your setup is working as designed. a Check the icons in the Manager beside the ports you have configure as in-line fail-open passive. They must show Up. b c Check the Bypass LED on the Sensor. LED status Description ON The Sensor is in inline fail-open, inline fail-closed, SPAN, or TAP mode. OFF The Sensor is in bypass mode. Check the PWR LEDs on the chassis. 13 Depending on which power source you use, you will see that PWR LED glowing. d Check the port status and operating mode status of the GE in-line fail-open ports. The picture below shows you the fail-open switch in normal mode since the Sensor ports are operating normally. When the fail-open switch in bypass mode since the Sensor ports have gone down. Item Description NRM Glows green when the Sensor is in normal mode of operation. WDT Indicates watch dog timer. The Watch Dog Timer LED always blinks amber, whether the fail-open switch is in normal or bypass mode. The blink indicates that the heartbeat pulse is being sent through the fail-open connection. The watchdog timer is always blinking, even when the fail-open switch is bypassing the Sensor, because it is always sending and listening for the correct heartbeat state from the Sensor monitoring ports. BYP Glows red when fail-open switch is in bypass mode of operation. 11 Troubleshooting During normal in-line fail-open operation of the Sensor, fail-open switch constantly sends a heartbeat signal to the Sensor. If this signal does not return to the fail-open switch within a programmed interval, the fail-open switch removes the Sensor from the data path, and moves into bypass mode, providing continuous data flow with little network interruption. While the fail-open switch is in bypass mode, traffic passes directly through it, bypassing the Sensor. When normal Sensor operation resumes, you might or might not need to manually re-enable the monitoring ports from the Manager interface, depending on the activity leading up to the Sensor's failure. The following section describes how to return the Sensor to in-line mode. 14 What happens when a Sensor fails? When a Sensor fails with a fail-open switch in place, the following events occur in the stated order. • The Manager reports a Sensor in bad health or Port pair is in bypass mode error in the System Health pane. • The Sensor reboots and the fail-open switch begins forwarding traffic. All traffic now bypasses the Sensor and flows through the fail-open switch with minimal traffic disruption. A Sensor reboot breaks the link connecting the devices on either side of the Sensor and requires the renegotiation of the network link between the two devices surrounding the Sensor. Depending on the network equipment, this disruption ranges from a couple of seconds to more than a minute with certain vendors' devices. • Upon reboot completion, the Sensor resumes its heartbeat, and one of the following occurs: • If the reboot occurred during normal operation as described, the fail-open switch resumes passing data through the Sensor and the Sensor returns to in-line fail-open mode. • If the reboot occurred due to an error, the fail-open switch continues to bypass the Sensor until the administrator manually re-enables Sensor ports in the Manager. After the ports are re-enabled, the fail-open switch resumes passing data through the Sensor and the Sensor returns to in-line mode. A brief link disruption is likely to occur while the links are renegotiated to place the Sensor back in in-line mode. • The errors on the Manager disappear and normal health is reported. Common problems and solutions This section lists some common installation problems and their solutions. Problem Possible Cause Solution Network or link problems. Improper cabling or port configuration. Ensure that the transmit and receive cables are properly connected to the fail-open switch. Sensor LED is off. The Sensor is turned off. Restore Sensor power. The Sensor port cable is disconnected. Check the Sensor cable connections. Sensor is operational, but Network device cables have Check the cables and ensure that they are is not monitoring traffic. been disconnected. properly connected to both the network devices and the fail-open switch. The Sensor ports have not been enabled in the Sensor. Ports are disabled on a Sensor failure; they must be re-enabled in the Manager for the Sensor monitoring to resume. 15 Problem Possible Cause Solution Runts or giants errors on switch and routers. Improper cabling or port configuration. Ensure that the transmit and receive cables are properly connected to the fail-open switch. The system fault “Switch absent” appears on the Operational Status page of the Manager. Improper cabling. Ensure that the transmit and receive cables are properly connected to the fail-open switch. Copyright © 2014 McAfee, Inc. www.intelsecurity.com Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others. 16 700-4420B00
© Copyright 2024