Network Security Platform 8.1 Addendum II

Network Security Platform 8.1 Addendum II
Addendum II to 8.1
Revision B
McAfee Network Security Platform 8.1
COPYRIGHT
Copyright © 2014 McAfee, Inc., 2821 Mission College Boulevard, Santa Clara, CA 95054, 1.888.847.8766, www.intelsecurity.com
TRADEMARK ATTRIBUTIONS
Intel and the Intel logo are registered trademarks of the Intel Corporation in the US and/or other countries. McAfee and the McAfee logo, McAfee Active
Protection, McAfee DeepSAFE, ePolicy Orchestrator, McAfee ePO, McAfee EMM, McAfee Evader, Foundscore, Foundstone, Global Threat Intelligence,
McAfee LiveSafe, Policy Lab, McAfee QuickClean, Safe Eyes, McAfee SECURE, McAfee Shredder, SiteAdvisor, McAfee Stinger, McAfee TechMaster, McAfee
Total Protection, TrustedSource, VirusScan are registered trademarks or trademarks of McAfee, Inc. or its subsidiaries in the US and other countries.
Other marks and brands may be claimed as the property of others.
LICENSE INFORMATION
License Agreement
NOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETS
FORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU
HAVE ACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOUR
SOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR A
FILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SET
FORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OF
PURCHASE FOR A FULL REFUND.
2
McAfee Network Security Platform 8.1
Addendum II to 8.1
Contents
1
2
Overview
5
Introducing McAfee Network Security Platform . . . . . . . . . . . . . . . . . . . . . .
5
Introducing the NS7x00 Sensors
7
About Network Security Sensors . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Functions of an NS-series Sensor . . . . . . . . . . . . . . . . . . . . . . . . . 8
Deployment of an NS-series Sensor . . . . . . . . . . . . . . . . . . . . . . . . 8
NS7x00 Sensor physical description . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Components of an NS7x00 Sensor . . . . . . . . . . . . . . . . . . . . . . . . 9
Sensor LEDs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
NS7x00 Network Interface modules . . . . . . . . . . . . . . . . . . . . . . . 13
Small form-factor pluggable transceiver modules . . . . . . . . . . . . . . . . . . 13
Special notes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Configuring ports for NS7x00 Sensors . . . . . . . . . . . . . . . . . . . . . . . . . 14
Configure 10 Gbps (SFP/SFP+) Monitoring Ports . . . . . . . . . . . . . . . . . . 17
Configure 1 Gbps (SFP) Monitoring Ports . . . . . . . . . . . . . . . . . . . . . 19
Command Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Sensor performance with Layer 7 Data Collection . . . . . . . . . . . . . . . . . . . .
22
NS7x00 Sensor performance with Layer 7 data collection . . . . . . . . . . . . . .
22
SSL only traffic - throughput: NS7x00 Sensors . . . . . . . . . . . . . . . . . . . . . . 23
SSL traffic mixed with HTTP 1.1 traffic: NS7x00 Sensors . . . . . . . . . . . . . . . . . . 23
NS7x00 Sensor capacity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Unsupported features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Sensor technical specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
3
Introducing the 4-port 10/1 GigE with internal fail-open network interface
modules
Technical specifications
4-port 10/1 Gig
4-port 10/1 Gig
4-port 10/1 Gig
4
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
SM 8.5 micron with internal fail-open interface module . . . . . . . . .
MM 50 micron with internal fail-open interface module . . . . . . . . .
MM 62.5 micron with internal fail-open interface module . . . . . . . .
Fail-open operation in Sensors
28
28
29
30
31
Evaluation of fail-open modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Physical description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Types of fail-open . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Passive fail-open switches . . . . . . . . . . . . . . . . . . . . . . . . . . .
Active fail-open switches . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Fail-Open switch models 1 thru 13 . . . . . . . . . . . . . . . . . . . . . . . .
Fail-Open switch models 14 thru 23 . . . . . . . . . . . . . . . . . . . . . . .
Configure fail-open kits 1 thru 13 . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Install the fail-open switch . . . . . . . . . . . . . . . . . . . . . . . . . .
2. Configure fail-open switch parameters . . . . . . . . . . . . . . . . . . . . .
3. (Optional) Configure notification by SNMP traps . . . . . . . . . . . . . . . . .
4. Connect the switch to an inline Sensor . . . . . . . . . . . . . . . . . . . . .
McAfee Network Security Platform 8.1
27
31
32
34
35
35
35
37
41
42
43
44
45
Addendum II to 8.1
3
Contents
5. Deploy a Sensor in inline fail-open mode . . . . . . . . . . . . . . . . . . . .
6. Use the Web Manager to configure the fail-open switch . . . . . . . . . . . . . .
Configure fail-open kits 14 thru 22 . . . . . . . . . . . . . . . . . . . . . . . . . . .
1. Install the fail-open switch module in the chassis . . . . . . . . . . . . . . . . .
2. Remove an active fail-open switch from the chassis . . . . . . . . . . . . . . . .
3. Configure fail-open switch parameters . . . . . . . . . . . . . . . . . . . . .
4. (Optional) Configure notification by SNMP traps . . . . . . . . . . . . . . . . .
5. Connect the switch to an inline Sensor . . . . . . . . . . . . . . . . . . . . .
6. Deploy a Sensor in inline fail-open mode . . . . . . . . . . . . . . . . . . . .
7. Use the web interface to configure the fail-open switch . . . . . . . . . . . . . .
Deployment scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Setup the fail-open switch and Sensor . . . . . . . . . . . . . . . . . . . . . .
Verify the setup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Index
4
McAfee Network Security Platform 8.1
48
49
50
51
52
53
55
56
59
60
62
63
64
65
Addendum II to 8.1
1
Overview
This document is a standalone document for this release of McAfee® Network Security Platform 8.1.
The addendum supplements and supersedes information released in the earlier release of Network
Security Platform 8.0 user documentation.
Introducing McAfee Network Security Platform
McAfee® Network Security Platform [formerly McAfee® IntruShield®] delivers the most comprehensive,
accurate, and scalable, network Intrusion Prevention System (IPS) and McAfee® Network Threat
Behavior Analysis (NTBA) for mission-critical enterprise, carrier, and service provider networks, while
providing unmatched protection against spyware and known, zero-day, and encrypted attacks.
McAfee® Network Threat Behavior Analysis Appliance provides the capability of monitoring network
traffic by analyzing NetFlow information flowing through the network in real time, thus complementing
the IPS capabilities in a scenario in which McAfee® Network Security Sensor, and NTBA Appliance are
installed and managed through a single Manager.
McAfee Network Security Platform 8.1
Addendum II to 8.1
5
1
Overview
Introducing McAfee Network Security Platform
6
McAfee Network Security Platform 8.1
Addendum II to 8.1
2
Introducing the NS7x00 Sensors
The high-port density NS-series Sensor is designed for high bandwidth links. The NS7300, NS7200,
and NS7100 Sensor models are a mid-range offering that provide 5 Gbps, 3 Gbps, and 1.5 Gbps
throughput respectively.
Contents
About Network Security Sensors
NS7x00 Sensor physical description
Special notes
Configuring ports for NS7x00 Sensors
Command Line Interface
Sensor performance with Layer 7 Data Collection
SSL only traffic - throughput: NS7x00 Sensors
SSL traffic mixed with HTTP 1.1 traffic: NS7x00 Sensors
NS7x00 Sensor capacity
Unsupported features
Sensor technical specifications
About Network Security Sensors
McAfee Network Security Sensor (Sensor) (Sensors) are high-performance, scalable, and flexible
content processing appliances built for the accurate detection and prevention of:
•
Network intrusions
•
Network misuse
•
Distributed Denial-of-Service (DDoS) attacks
Sensors are specifically designed to handle traffic at wire speed, efficiently inspect and detect
intrusions with a high degree of accuracy, and flexible enough to adapt to the security needs of any
enterprise environment. When deployed at key network access points, the Sensor provides real-time
traffic monitoring to detect malicious activity and respond to the malicious activity as configured by
the administrator.
McAfee Network Security Platform 8.1
Addendum II to 8.1
7
2
Introducing the NS7x00 Sensors
About Network Security Sensors
After you deploy a Sensor successfully, you configure and manage it using the McAfee® Network
Security Manager (Manager). The process of configuring a Sensor and establishing communication
with the Manager is described in the subsequent chapters of this guide. For the details about the
Manager, see the McAfee Network Security Platform Manager Administration Guide.
Functions of an NS-series Sensor
The NS-series Sensors are a third-generation hardware platform for McAfee® Network Security Sensor
(Sensor) designed for high bandwidth links, to provide Next Generation IPS (NGIPS) capability,
providing high aggregate throughput across various Sensor models. The following models are
supported.
•
NS7300 - The NS7300 Sensor is a 1RU unit, providing an aggregate throughput of 5 Gbps
•
NS7200 - The NS7200 Sensor is a 1RU unit providing an aggregate throughput of 3 Gbps
•
NS7100 - The NS7100 Sensor is a 1RU unit providing an aggregate throughput of 1.5 Gbps
The primary function of a Sensor is to analyze traffic on selected network segments and to respond
when an attack is detected. The Sensor examines the header and data portion of every network
packet, looking for patterns and behavior in the network traffic that indicate malicious activity. The
Sensor examines packets according to user-configured policies, or rule sets, which determine what
attacks to watch for, and how to respond with countermeasures if an attack is detected.
If an attack is detected, a Sensor responds according to its configured policy. Sensor can perform
many types of attack responses, including generating alerts and packet logs, resetting TCP
connections, "scrubbing" malicious packets, and even blocking attack packets entirely before they
reach the intended target.
Deployment of an NS-series Sensor
Deployment of a Sensor requires knowledge of your network to help determine the level of
configuration and the number of installed Sensors. You also need to determine the number of McAfee®
ePolicy Orchestrator® (McAfee ePO™) servers required to protect your network. The Sensor is
purpose-built for the monitoring of traffic across one or more network segments.
8
McAfee Network Security Platform 8.1
Addendum II to 8.1
Introducing the NS7x00 Sensors
NS7x00 Sensor physical description
2
Following is an example of a network topology using Gigabit Ethernet throughput. In the illustration,
McAfee® Network Security Platform (formerly McAfee® IntruShield®) provides IPS protection to
outsourced servers. High port-density and virtualization provides a highly scalable solution, while
Network Security Platform protects against Web and eCommerce mail server exploits.
Figure 2-1 A sample Network Security Platform deployment
NS7x00 Sensor physical description
The high-port density NS-series Sensor is designed for high bandwidth links. This section gives a
physical description of the NS7x00 Sensors.
The NS7300, NS7200, and NS7100 Sensor models are a mid-range offering that provide 5 Gbps, 3
Gbps, and 1.5 Gbps throughput respectively.
Components of an NS7x00 Sensor
The NS7x00 front and rear panel details are described below.
McAfee Network Security Platform 8.1
Addendum II to 8.1
9
2
Introducing the NS7x00 Sensors
NS7x00 Sensor physical description
The NS7100/NS7200/NS7300 Sensor model
Figure 2-2 Sensor front panel
1
Console port (1)
2
RJ-11 port (1) for fail-open control of two built-in SFP+ ports in slot G0. The RJ-11 port supports 1
Gbps (SFP) copper or fiber and 10 Gbps (SFP+) (SR and LR)
3
SFP+ 1/10 Gigabit Ethernet ports (2)
The RJ-11 port controls only this SFP+ 1/10 port pair in passive fail-open mode.
4
5
Two slots for I/O modules (Any combination of the interface modules can be used.)
•
SFP/SFP+ 1/10 Gigabit Ethernet Monitoring ports (8)
•
RJ-45 10/100/1000 Mbps with internal fail-open Ethernet Monitoring ports (6)
•
10/1 GigE SM 8.5 micron with internal fail-open Monitoring ports (4)
•
10/1 GigE MM 50 micron with internal fail-open Monitoring ports (4)
•
10/1 GigE MM 62.5 micron with internal fail-open Monitoring ports (4)
RJ-45 10/100/1000 Mbps Ethernet Monitoring ports (8)
The supported transceiver modules are SFP+ (MM and SM), SFP Fiber (MM and SM) and SFP Copper.
Figure 2-3 Sensor rear panel
1
Auxiliary port (1)
2
USB ports (2)
3
Power supply inlet (2)
The NS7x00 Sensors are shipped with one power supply unit. Second power supply (optional) is
supported to enable redundancy.
10
4
RJ-45 10/100/1000 Response port (R1) (1)
5
RJ-45 10/100/1000 Management port (Mgmt) (1)
McAfee Network Security Platform 8.1
Addendum II to 8.1
Introducing the NS7x00 Sensors
NS7x00 Sensor physical description
2
The NS7x00 Sensors have five fan units on the top.
Figure 2-4 Fan units-NS7100/NS7200/NS7300
The fan units and power supplies are field replaceable.
The following table gives the details of the supported ports.
Ports
NS7100/NS7200/NS7300
Fixed Gigabit Ethernet—Copper ports
(internal fail-open)
8
Fixed 10 GigE/1 GigE (SFP+) ports
2
Network I/O slots
2
Network I/O modules
4-port 10/1 GigE SM 8.5 micron with internal fail-open
4-port 10/1 GigE MM 50 micron with internal fail-open
4-port 10/1 GigE MM 62.5 micron with internal
fail-open
6-port RJ-45 1 GigE with internal fail-open
8-port (SFP+/SFP) 10/1 GigE
10 Gigabit Ethernet
Modular up to 18
Dedicated Response ports (RJ-45)
1 (1G/100M/10M)
Dedicated Management ports (RJ-45)
1 (1G/100M/10M)
Dedicated Auxiliary port (DB9)
1
USB ports
2
•
Console port — Use to set up and configure the Sensor using the CLI.
•
RJ-11 port — Controls the SFP+ 1/10 Gigabit Ethernet port pair in passive fail-open mode.
•
SFP/SFP+ 1/10 Gigabit Ethernet ports — Enables to monitor two SPAN ports, two segments
in-line, or a combination.
•
RJ-45 10/100/1000 Mbps Ethernet Monitoring ports — Enables to monitor eight SPAN ports,
four segments in-line, or a combination.
•
DB9 Auxiliary port — Use to dial in remotely to set up and configure the Sensor.
•
External USB ports — Use these in troubleshooting situations for system recovery purposes. You
need to restart the Sensor through the USB storage device.
•
RJ-45 10/100/1000 Management port— Use for communication with the Manager server. You
can assign an IP address to this port during installation.
McAfee Network Security Platform 8.1
Addendum II to 8.1
11
2
Introducing the NS7x00 Sensors
NS7x00 Sensor physical description
•
RJ-45 10/100/1000 Response port — When you're operating in SPAN or tap mode, enables
you to inject response packets back through a switch or router.
•
Power Supply — Power supply is included with an NS7x00 Sensor. The supply uses a standard IEC
port (IEC320-C13). McAfee provides a standard, 2m NEMA 5-15P (US) power cable (3 wire).
International customers must procure a country-appropriate power cable.
The NS-series Sensor does not have internal taps; you must use it with a third-party external tap to
run it in tapped mode.
Sensor LEDs
The front and rear panel LEDs provide status information for the health of the Sensor and the activity
on its ports. The following table describes the NS-series LEDs.
Front panel LEDs
LED
Status Description
Status
Green
Sensor is operating in good health. Also indicates system bad health.
Amber Sensor is booting up. (It could also indicate a system failure.)
Fan
Green
All the fans are operating.
Amber One or more of the fans has failed.
Temp
Green
Inlet air temperature measured inside the chassis is normal. (Chassis
Amber temperature OK.)
Inlet air temperature measured inside the chassis is too high. (Chassis
temperature too hot.)
Gigabit Ports Act Amber Data is received or transmitted.
Off
No data is being transferred.
Gigabit Ports
Link
Green
The link is up.
Off
The link is down.
Normal/Bypass
Green
The port pair is in Inline Fail-Open/Inline Fail-Close/Span/Tap Mode.
Amber The Port Pair is in the Bypass Mode.
Rear panel LEDs
LED
Status Description
Power
Green
Power supply has power feed and is functioning.
Amber
Power Supply is not functioning or the unit has no power feed.
Green
The port speed is 1000 Mbps.
Amber
The port speed is 100 Mbps.
Off
The port speed is 10 Mbps.
Green
The link is up.
Off
The link is down.
Management Port Speed
Management Port Link
12
McAfee Network Security Platform 8.1
Addendum II to 8.1
Introducing the NS7x00 Sensors
Special notes
LED
Status Description
Response Port Speed
Green
The port speed is 1000 Mbps.
Amber
The port speed is 100 Mbps.
Off
The port speed is 10 Mbps.
Green
The link is up.
Off
The link is down.
Response Port Link
2
NS7x00 Network Interface modules
The NS7x00 Sensors support the following Network Interface modules
•
6-port RJ-45 10/100/1000 Mbps with internal fail-open interface module
•
8-port SFP/SFP+ 1/10 Gigabit interface module
•
4-port 10/1 GigE SM 8.5 micron with internal fail-open interface module
•
4-port 10/1 GigE MM 50 micron with internal fail-open interface module
•
4-port 10/1 GigE MM 62.5 micron with internal fail-open interface module
These modules need to be installed in the respective slots on the Sensor. For more information, see
the Network Security Platform NS-series Interface Modules Reference Guide.
Small form-factor pluggable transceiver modules
The NS7x00 Sensors use two types of small form-factor pluggable modules as shown in the following
table. For more information, see Network Security Platform NS-series Transceiver Modules Reference
Guide.
Type
Performance
SFP
1 Gbps (copper)
1 Gbps (fiber optic)
SFP+
10 Gbps (fiber optic)
Each module is a hot-swappable input/output device that plugs into an LC-type Gigabit Ethernet port,
linking the module port with a copper or fiber-optic network. SFP optical interfaces are less than half
the size of GBIC interfaces.
To ensure compatibility, McAfee supports only those SFP and SFP+ modules purchased through McAfee
or from a McAfee-approved vendor. For a list of approved vendors, locate the relevant KnowledgeBase
article at http://mysupport.mcafee.com/Eservice/. Click Search the KnowledgeBase.
These installation instructions provide information for installing SFP and SFP+ modules that use a bail
clasp for securing the module in place in the Sensor. Your module might be slightly different. Check
the module manufacturer's installation instructions for more details. For ease of installation, insert the
module in the Sensor while it is turned off and before placing it on a rack.
To prevent eye damage, do not stare into open laser apertures.
Special notes
Each Sensor model ships with a quick start guide on how to set up the Sensor and configure it to
communicate with the Manager. McAfee also provides additional documentation for the NS-series
McAfee Network Security Platform 8.1
Addendum II to 8.1
13
2
Introducing the NS7x00 Sensors
Configuring ports for NS7x00 Sensors
Sensors that consist of the Sensor Product Guide and Reference Guides. These documents provide
detailed installation, configuration, and cabling instructions for your Sensor.
You may need special equipment depending on your deployment strategy. Gigabit Ethernet (GE) port
Sensors require the optional Gigabit Fail-Open Bypass Kit, sold separately, for In-line Fail-Open mode.
You need to purchase these kits separately.
Setting up your NS7x00 Sensors
The process of setting up a Sensor is described below at a high level.
1
Verify the contents in the box
7
Power on the Sensor
2
Verify the hardware and software
requirements
8
Install the Manager Software
3
Install the slide rails
9
Start the Manager
4
Install the interface modules
10 Add the Sensor to the Manager
5
Cable the Management and Console ports
11 Configure Sensor information
6
Cable the monitoring ports
12 Verify successful installation
For more information on setting up the Sensor, see McAfee Network Security Platform NS7x00 Quick
Start Guide and McAfee Network Security Platform NS7x00 Sensor Product Guide.
For more information see McAfee Network Security Platform NS-series Interface Modules Reference
Guide and McAfee Network Security Platform NS-series Transceiver Modules Reference Guide.
Full-duplex and Half-duplex monitoring ports for NS7x00 Sensors
To monitor a full-duplex segment in In-line or Tap mode, you use two Sensor ports (one port for
transmit, one for receive). SPAN port monitoring receives on one port and can respond via the same
port (if the switch supports this feature).
•
In-line mode and tap mode can both monitor full-duplex links.
•
SPAN monitoring works in either half-duplex or full-duplex mode (depending on the switch).
•
Hub monitoring works in half-duplex mode.
For more information on cabling the Sensor ports, see McAfee Network Security Platform NS7x00
Sensor Product Guide.
Configuring ports for NS7x00 Sensors
Configuration of monitoring ports enables you to set the operating mode of your ports, change port
speeds or specify whether you are using McAfee certified modules, and/or choose the corresponding
response port for device action.
The Physical Ports page enables you to view and edit the parameters of the monitoring and response
ports on a specific device. Monitoring port configuration allows you to change device deployment
modes, select port speeds or indicate whether you are using McAfee certified modules, enable or
disable ports, and choose the path for device responses. Response port configuration allows you to
choose the receiving device and change the link speed.
14
McAfee Network Security Platform 8.1
Addendum II to 8.1
Introducing the NS7x00 Sensors
Configuring ports for NS7x00 Sensors
2
To view or configure the settings of the monitoring ports for McAfee Network Security Platform
NS-series devices, you access the configuration page through <Admin Domain Name> | Devices | Devices |
<Device_Name> | Setup | Physical Ports.
Figure 2-5 Physical Ports
Port color key
Color Description
Green Port is enabled and operating correctly.
Red
Port is enabled, but not operating due to some failure. Check system faults.
Gray
Port has been disabled by the user.
Yellow Device or NTBA Appliance is disconnected. The port data were retrieved from the database.
Beige
Port(s) has been modified, but not saved
McAfee Network Security Platform 8.1
Addendum II to 8.1
15
2
Introducing the NS7x00 Sensors
Configuring ports for NS7x00 Sensors
Action buttons
You can perform these actions on the Monitoring and Response ports.
•
Enable/Disable
enables or disables a selected port. Once you select a port to enable or disable, a confirmation
pop-up message is displayed. The changes take place immediately. Click Refresh to view the updated
port status.
•
Refresh
sends a poll from Manager to device and back detailing the most current state of the interfaces on
the device. For example, if you disconnected a cable from monitoring port G0/2 (and this port was
previously Enabled) and click Refresh in the UI, port G0/2 in the virtual device changes from green
to red.
If, after initial port configuration, you decide to change your port settings, all of the previous
configurations performed at the interface and sub-interface levels are erased in favor of the new
port configuration. This will erase such information as interface traffic types and child admin
domains where interfaces were allocated for management.
•
Save
saves configuration changes for subsequent push from Manager to device when the configuration is
updated (Update Configuration). For example, if you changed monitoring port G0/2 from being part
of a port pair in Tap Mode to a single port in SPAN or Hub Mode, clicking Save queues this
information for download to the device. You must also connect your segments correctly to the
device for this change to be successful.
Double-click a port to view port details, configure, and save port settings.
The following table contains the default values for device ports in different operating modes. You must
make sure that the switch or router ports connected to the device ports match these settings for the
configurations as shown:
Interface Type
Mode
Auto-negotiation
Speed
Duplex
10 Gigabit Ethernet
Tap
OFF
N/A
N/A
10 Gigabit Ethernet
SPAN
OFF
N/A
N/A
10 Gigabit Ethernet
In-line
OFF
N/A
N/A
Gigabit Ethernet
Tap
OFF
N/A
N/A
Gigabit Ethernet
SPAN
ON
N/A
N/A
Gigabit Ethernet
In-line
ON
N/A
N/A
Fast Ethernet
Tap
OFF
Configurable
Half-duplex
Fast Ethernet
SPAN
OFF
Configurable
Configurable
Fast Ethernet
In-line
OFF
Configurable
Configurable
For a Virtual Sensor, the supported modes are SPAN, inline fail-closed, and inline fail-open mode using
an external Active Fail-Open Kit. Tap mode is supported on Virtual Sensors.
16
McAfee Network Security Platform 8.1
Addendum II to 8.1
Introducing the NS7x00 Sensors
Configuring ports for NS7x00 Sensors
2
Configure 10 Gbps (SFP/SFP+) Monitoring Ports
Perform these steps to configure the 10 Gbps SFP or SFP+ monitoring ports for the NS7x00 Sensor.
Task
1
Select <Admin Domain Name> | Devices | Devices | <Sensor_Name> | Setup | Physical Ports.
2
Double-click a numbered 10 Gbps port from (SFP+) 10 G. The right panel displays the current port
settings, which indicates a McAfee Certified SFP+.
Figure 2-6 Configure Monitoring Port Details
The speed is automatically set to 10 Gbps on the 10 Gigabit Ethernet ports. However, you can specify
whether the modules are McAfee Certified.
3
Select the State as either Enabled or Disabled. Accordingly the Link displays Up (on) or Down (off).
If the Link displays Down and yourState is Enabled, there may be a problem. Check Operational Status for
more information.
McAfee Network Security Platform 8.1
Addendum II to 8.1
17
2
Introducing the NS7x00 Sensors
Configuring ports for NS7x00 Sensors
4
From Operation options, select the Mode:
Your device cabling must match the selected operating mode for correct system functionality.
Improper deployment may result in system faults, including missed attacks and system failure.
•
In-line Fail-Open (port pair)
•
In-line Fail-Open Active (port pair)
•
In-line Fail-Closed (port pair)
In-line Fail-open and In-line Fail-closed are determined by the port cabling method. Fail-open
operation for GE ports requires use of the optional Bypass Switch provided in the Gigabit Optical
Fail-Open Bypass Kit (sold separately). You should not select the In-line Fail-Open option if the
optional external Bypass Switch is not present.
•
SPAN or Hub (single port)
•
Tap (port pair)
GE ports can only be configured for External Tap mode.
If a port is functioning as part of a Port Pair, the Peer Port is listed. For example, if port 2/1 is
configured for Tap mode, port 2/2 is listed as the Peer Port. All ports are wire-matched internally
with a single peer, for example 2/1-2/2 make up a port pair.
For more information on the deployment modes of Network Security Sensors, see McAfee Network
Security Platform IPS Administration Guide.
5
Select the area of your network where the current port is connected: Inside Network (internal) or
Outside Network (external). This step applies to Tap or In-line modes only.
6
For SPAN or Hub and Tap mode, select a Response Port. The response mode defines the path of response
for the device. The following choices are available:
•
This Port: Responds out of the detection port to the segment. This is selected by default for
In-line and SPAN operating modes.
•
Response Port: Sends responses through a designated response port, for example R1. This
response option is selected by default for External Tap operating mode.
You can assign a response port to more than one device monitoring port. However, knowing
where your response ports are connected in the network will make for the best response system.
Internal TAP mode is only supported on I-series 10/100 Mbps ports. M-series and NS-series support
only External Tap mode.
7
Click Save to save changes.
A confirmation page is displayed.
8
18
Navigate to <Admin Domain Name> | Devices | Devices | <Sensor_Name> | Deploy Pending Changes and select
Configuration & Signature Set. Click Update to download the changes to your device.
McAfee Network Security Platform 8.1
Addendum II to 8.1
Introducing the NS7x00 Sensors
Configuring ports for NS7x00 Sensors
2
Configure 1 Gbps (SFP) Monitoring Ports
Perform these steps to configure the 1 Gbps SFP monitoring ports for the NS7x00 Sensor.
Task
1
Select <Admin Domain Name> | Devices | Devices | <Sensor_Name> | Setup | Physical Ports.
2
Double-click a numbered 1 Gbps port from 1 G (RJ-45). A right panel displays current port settings,
which indicates a McAfee Certified SFP is being used.
Figure 2-7 View Monitoring Port Details
3
Select the Speed of the port. Port speed details the speed of traffic being monitored. You can set the
port speed to Auto Negotiate or select the following values from the Speed (duplex) drop down list:
•
1 Gbps (Full)
•
100 Mbps (Full)
•
100 Mbps (Half)
•
10 Mbps (Full)
•
10 Mbps (Half)
The duplex mode (Full) or (Half) relates to the connection monitored by the interface. If connected
to a SPAN or hub or if you deploy an external tap configuration, the default mode is Half-duplex. If
connected in Tap or In-line mode, Full-duplex is the default.
McAfee Network Security Platform 8.1
Addendum II to 8.1
19
2
Introducing the NS7x00 Sensors
Configuring ports for NS7x00 Sensors
4
Select the State as either Enabled or Disabled. Accordingly the Link displays Up (on) or Down (off).
If theLink displays Down and yourState is Enabled, there may be a problem. Check Operational Status for
more information.
5
From Operation options, select the Mode:
Your device cabling must match the selected operating mode for correct system functionality.
Improper deployment may result in system faults, including missed attacks and system failure.
•
In-line Fail-Open (port pair)
•
In-line Fail-Open Active (port pair)
•
In-line Fail-Closed (port pair)
In-line Fail-Open and In-line Fail-Closed are determined by the port cabling method. Fail-open
operation for GE ports requires use of the optional Bypass Switch provided in the Gigabit Optical
Fail-Open Bypass Kit (sold separately). You should not select the In-line Fail-Open option if the
optional external Bypass Switch is not present.
•
SPAN or Hub (single port)
•
Tap (port pair)
GE ports can only be configured for External Tap mode.
If a port is functioning as part of a Port Pair, the Peer Port is listed. For example, if port 3/1 is
configured for Tap mode, port 3/2 is listed as the Peer Port. All ports are wire-matched internally
with a single peer, for example 3/1-3/2 make up a port pair.
For more information on the deployment modes of Network Security Sensors, see McAfee Network
Security Platform IPS Administration Guide.
6
From Placement drop-down, Select the area of your network where the current port is connected:
Inside Network (internal) or Outside Network (external). This step applies to Tap or In-line modes only.
7
For SPAN or Hub and Tap mode, select a Response Port. The response mode defines the path of response
for the device. The following choices are available:
•
This Port: Responds out of the detection port to the segment. This is selected by default for
In-line and SPAN operating modes.
•
Response Port: Sends responses through a designated response port, for example R1. This
response option is selected by default for External Tap operating mode.
You can assign a response port to more than one device monitoring port. However, knowing
where your response ports are connected in the network will make for the best response system.
Internal TAP mode is only supported on I-series 10/100 Mbps ports. M-series and NS-series support
only External Tap mode.
8
Click Save to save changes.
A confirmation page is displayed.
9
20
Navigate to <Admin Domain Name> | Devices | Devices | <Sensor_Name> | Deploy Pending Changes and select
Configuration & Signature Set. Click Update to download the changes to your device.
McAfee Network Security Platform 8.1
Addendum II to 8.1
2
Introducing the NS7x00 Sensors
Command Line Interface
Command Line Interface
These are the commands that can be used for various details for the Sensor.
loadsavedimage
Loads a Sensor image of this (WORD) version from archive in the SSD to be the next bootable image.
If this is an image downgrade, you must issue the resetconfig command.
Syntax
loadsavedimage WORD
rescuedisk
Reformats the SSD and loads a Sensor image of this (WORD) version from the internal flash device
onto the SSD. This will be the next bootable image.
Syntax
rescuedisk WORD
show savedimages
Displays version numbers of a list of up to ten Sensor images currently archived in the SSD.
Syntax
show savedimages
Sample output
[email protected]> show savedimages
8.0.46.18
8.0.46.19
8.1.44.43
8.1.44.46
8.1.5.38
show rescueimages
Displays version numbers of a list of up to five Sensor images currently archived in the internal flash
device.
Syntax
show rescueimages
show pluggable-module
Displays the status of the pluggable module(s) inserted into the specified slot(s) located within the
chassis front panel.
Syntax
show pluggable-module (g1|g2|all)
Sample output
McAfee Network Security Platform 8.1
Addendum II to 8.1
21
2
Introducing the NS7x00 Sensors
Sensor performance with Layer 7 Data Collection
[email protected]> show pluggable-module all
G1 port module not present
G2 port module not present
show intfport
Shows the status of the specified Sensor port.
Syntax
show intfport <string of interfaces>
NAC commands are not supported on NS-series Sensors.
Sensor performance with Layer 7 Data Collection
Turning on Layer 7 data collection affects Sensor performance.
NS7x00 Sensor performance with Layer 7 data collection
Sensor
Model
Layer 7 Data Collection setting
HTTP Response
Scanning setting
Observed
throughput
NS7100
Disabled
Disabled
1.5 Gbps
Enabled for outbound
direction
1.5 Gbps
Disabled
1.5 Gbps
Enabled for outbound
direction
1.5 Gbps
Disabled
1.5 Gbps
Enabled for outbound
direction
1.5 Gbps
Disabled
3 Gbps
Enabled for outbound
direction
3 Gbps
Disabled
3 Gbps
Enabled for outbound
direction
3 Gbps
Disabled
3 Gbps
Enabled for outbound
direction
3 Gbps
Disabled
5 Gbps
Enabled for outbound
direction
5 Gbps
Disabled
5 Gbps
Enabled for outbound
direction
5 Gbps
Percentage of flows that capture L7
data: 5
Percentage of flows that capture L7
data: 100
NS7200
Disabled
Percentage of flows that capture L7
data: 5
Percentage of flows that capture L7
data: 100
NS7300
Disabled
Percentage of flows that capture L7
data: 5
22
McAfee Network Security Platform 8.1
Addendum II to 8.1
Introducing the NS7x00 Sensors
SSL only traffic - throughput: NS7x00 Sensors
Sensor
Model
Layer 7 Data Collection setting
HTTP Response
Scanning setting
Observed
throughput
Percentage of flows that capture L7
data: 100
Disabled
5 Gbps
Enabled for outbound
direction
5 Gbps
2
SSL only traffic - throughput: NS7x00 Sensors
•
Session resumption for 4 out of 5 TCP connections
•
5 HTTP 1.1 get page requests per TCP connection with a 10K response each
•
128-bit ARC4
NS 7300
1024 bit key length
2048 bit key length
Max. SSL Connections / Sec.
12000
12000
SSL Throughput
5 Gbps
5 Gbps
1024 bit key length
2048 bit key length
Max. SSL Connections / Sec.
6900
6900
SSL Throughput
3 Gbps
3 Gbps
1024 bit key length
2048 bit key length
Max. SSL Connections / Sec.
3500
3500
SSL Throughput
1.5 Gbps
1.5 Gbps
NS 7200
NS 7100
SSL traffic mixed with HTTP 1.1 traffic: NS7x00 Sensors
•
Session resumption for 4 out of 5 TCP connections
•
5 HTTP 1.1 get page requests per TCP connection with a 10K response each
•
128-bit ARC4
NS 7300
1024 bit key length
2048 bit key length
Max. SSL Connections / Sec.
2500
2500
SSL Throughput
1 Gbps
1 Gbps
HTTP 1.1 Throughput
4 Gbps
4 Gbps
Total Throughput
5 Gbps
5 Gbps
NS 7200
McAfee Network Security Platform 8.1
Addendum II to 8.1
23
2
Introducing the NS7x00 Sensors
NS7x00 Sensor capacity
1024 bit key length
2048 bit key length
Max. SSL Connections / Sec.
2500
2500
SSL Throughput
1 Gbps
1 Gbps
HTTP 1.1 Throughput
2 Gbps
2 Gbps
Total Throughput
3 Gbps
3 Gbps
1024 bit key length
2048 bit key length
Max. SSL Connections / Sec.
2500
2500
SSL Throughput
1 Gbps
1 Gbps
HTTP 1.1 Throughput
0.5 Gbps
0.5 Gbps
Total Throughput
1.5 Gbps
1.5 Gbps
NS 7100
NS7x00 Sensor capacity
The following table describes the supported NS7x00 Sensor capacity.
Maximum Type
NS7300
NS7200
NS7100
Aggregate Performance
5 Gbps
3 Gbps
1.5 Gbps
Max Throughput with test equipment sending UDP
packet size of 1512 Bytes
up to 15 Gbps up to 10 Gbps up to 5 Gbps
Concurrent Connections
10,000,000
5,000,000
3,000,000
Connections established per second
225,000
200,000
135,000
Default number of supported UDP Flows
150,000
150,000
150,000
Supported UDP Flows maximum
3,000,000
3,000,000
3,000,000
Supported UDP Flows minimum
1,000
1,000
1,000
Latency
<100 µs
<100 µs
<100 µs
500,000
400,000
250,000
Number of SSL certificates that can be imported into the 1,024
Sensor
1,024
1,024
Throughput with SSL Decryption (based on 10% SSL
traffic)
5 Gbps
3 Gbps
1.5 Gbps
Quarantine rules per Sensor- IPv4
8,000
8,000
8,000
Quarantine rules per Sensor- IPv6
500
500
500
Quarantine Zones per Sensor
50
50
50
Quarantine Zone ACLs per Sensor
1,000
1,000
1,000
Virtual Interfaces (VIDS) per Sensor (Number of Virtual
IPS Systems)
1,000
1,000
1,000
VLAN / CIDR Blocks per Sensor
3,000
3,000
3,000
VLAN / CIDR Blocks per Interface
254
254
254
(Average UDP per packet Latency)
SSL Flow Count
24
McAfee Network Security Platform 8.1
Addendum II to 8.1
2
Introducing the NS7x00 Sensors
Unsupported features
Maximum Type
NS7300
NS7200
NS7100
Customized attacks
100,000
100,000
100,000
Exception objects
262,144
262,144
262,144
Number of attacks with exception objects
128,000
128,000
128,000
DoS Profiles
5,000
5,000
5,000
SYN cookie rate (64 ‑ byte packets per second)
3,300,000
1,800,000
1,400,000
Effective (Firewall) access rules
5,000
3,000
3,000
Firewall rule objects
35,000
21,000
21,000
Firewall DNS rule objects
1,250
1,000
1,000
Firewall rule object groups
400
300
300
Application on Custom Port rule objects
500
500
500
Firewall user-based rule objects
1,250
1,000
1,000
Firewall user groups in access rules
10,000
10,000
10,000
Number of whitelist entries permitted for IP Reputation
128
128
128
Maximum host entries supported for Connection
Limiting policies
256,000
256,000
256,000
Maximum file size during packet capture
100 MB
100 MB
100 MB
Passive device profile limits
100,000
50,000
25,000
Advanced Malware - Maximum simultaneous file scan
capacity with file save
50
50
50
Advanced Malware - Maximum simultaneous file scan
capacity without file save
4,094
4,094
4,094
New HTTP connections per second(using 1 GET with
5000 HTTP response)
135,000
128,000
115,000
See the note below on how the number of customized
attacks is affected.
Unsupported features
The traffic management or rate limiting feature is not supported on NS7x00 Sensors for this release.
Sensor technical specifications
The following table lists the specifications of an NS7x00 Sensor:
Sensor Specifics
NS7300
Dimensions
17.5” (W) x 1.69” (H) x 17.5” (W) x 1.69” (H) x 17.5” (W) x 1.69” (H) x
28.9” (D)
28.9” (D)
28.9” (D)
Weight
31 lbs
31 lbs
29 lbs
Storage
Solid State 160 GB
Solid State 160 GB
Solid State 160 GB
Maximum Power
Consumption
350 W
350 W
250 W
Redundant Power
Supply
Optional
Optional
Optional
McAfee Network Security Platform 8.1
NS7200
NS7100
Addendum II to 8.1
25
2
26
Introducing the NS7x00 Sensors
Sensor technical specifications
Sensor Specifics
NS7300
Power
100-240 VAC (50/60Hz)
Temperature
Operating: 0°-35° C , Non-operating: - 40°-70° C
Relative humidity
(non-condensing)
Operational: 10% -90%, Non-operational: 5% -95%
Altitude
0 to 10,000 feet
Safety Certification
UL 1950, CSA-C22.2 No. 950, EN-60950, IEC 950, EN 60825, 21CFR1040
CB license and report covering all national country deviations.
EMI Certification
FCC Part 15, Class A (CFR 47) (USA) ICES-003 Class A (Canada),
EN55022 Class A (Europe), CISPR22 Class A (Int’l)
McAfee Network Security Platform 8.1
NS7200
NS7100
Addendum II to 8.1
3
Introducing the 4-port 10/1 GigE with
internal fail-open network interface
modules
This release of 8.1 introduces three 4-port 10/1 GigE with internal fail-open network interface modules
that are supported on the NS7x00 Sensors.
•
4-port 10/1 GigE SM 8.5 micron with internal fail-open interface module
Figure 3-1 4-port 10/1 GigE SM 8.5 micron with internal fail-open interface module
•
4-port 10/1 GigE MM 50 micron with internal fail-open interface module
Figure 3-2 4-port 10/1 GigE MM 50 micron with internal fail-open interface module
McAfee Network Security Platform 8.1
Addendum II to 8.1
27
3
Introducing the 4-port 10/1 GigE with internal fail-open network interface modules
Technical specifications
•
4-port 10/1 GigE MM 62.5 micron with internal fail-open interface module
Figure 3-3 4-port 10/1 GigE MM 62.5 micron with internal fail-open interface module
All the 4-port modules provide 10/1 Gigabit ethernet performance on each port.
Technical specifications
This section details the technical specifications of the interface modules.
4-port 10/1 Gig SM 8.5 micron with internal fail-open interface
module
The technical specifications for the 4-port 10/1 Gigabit SM 8.5 micron interface module are listed in
the following table:
Item
Description
Ports per module
4 ports of 10 Gigabit Ethernet using Duplex LC connector and 8.5 µm single
mode fiber
OR
4 ports of 1 Gigabit Ethernet using Duplex LC connector and 8.5 µm single
mode fiber
Product
compatibility
Supported in NS7100, NS7200, NS7300
Front panel LEDs
• Status: Green (Operational), Off (module not initialized)
• Link: Green (port enabled and connected), Off (port link down)
• Activity: Amber (blink amber with stretched pulse as a packet is sent or
received)
• Normal / Bypass: Green (port pair is inline), Off (port pair is in bypass)
Green if configured for any port mode (SPAN, Inline Fail-Closed, Inline
Fail-Open, Tap) and dark if port pair is configured for internal fail-open and is
in bypass mode (during system reboot or when an administrator disables
ports).
28
McAfee Network Security Platform 8.1
Addendum II to 8.1
Introducing the 4-port 10/1 GigE with internal fail-open network interface modules
Technical specifications
Item
Description
Physical
dimensions
• Occupies one I/O module slot in NS-series Chassis
3
• Dimensions: 1.425 (H) x 4.772 (W) x 5.704 (D) in
• Weight: 1Lb
Environmental
specifications
• Temperature - 0° C to 35° C (operating); -40° C to 70° C (non-operating)
• Altitude - Support operation up to 10,000 feet
• Humidity - 5-90% non condensing (operating); 5-95% non condensing
(non-operating)
4-port 10/1 Gig MM 50 micron with internal fail-open interface
module
The technical specifications for the 4-port 10/1 Gigabit MM 50 µm interface module are listed in the
following table:
Item
Description
Ports per module
4 ports of 10 Gigabit Ethernet using Duplex LC connector and 50 µm multimode
fiber
OR
4 ports of 1 Gigabit Ethernet using Duplex LC connector and 50 µm multimode
fiber
Product
compatibility
Supported in NS7100, NS7200, NS7300
Front panel LEDs
• Status: Green (Operational), Off (module not initialized)
• Link: Green (port enabled and connected), Off (port link down)
• Activity: Amber (blink amber with stretched pulse as a packet is sent or
received)
• Normal / Bypass: Green (port pair is inline), Off (port pair is in bypass)
Green if configured for any port mode (SPAN, Inline Fail-Closed, Inline
Fail-Open, Tap) and dark if port pair is configured for internal fail-open and is
in bypass mode (during system reboot or when an administrator disables
ports).
Physical
dimensions
• Occupies one I/O module slot in NS-series Chassis
• Dimensions: 1.425 (H) x 4.772 (W) x 5.704 (D) in
• Weight: 1Lb
Environmental
specifications
• Temperature - 0° C to 35° C (operating); -40° C to 70° C (non-operating)
• Altitude - Support operation up to 10,000 feet
• Humidity - 5-90% non condensing (operating); 5-95% non condensing
(non-operating)
McAfee Network Security Platform 8.1
Addendum II to 8.1
29
3
Introducing the 4-port 10/1 GigE with internal fail-open network interface modules
Technical specifications
4-port 10/1 Gig MM 62.5 micron with internal fail-open
interface module
The technical specifications for the 4-port 10/1 Gigabit MM 62.5 µm interface module are listed in the
following table:
Item
Description
Ports per module
4 ports of 10 Gigabit Ethernet using Duplex LC connector and 62.5 µm
multimode fiber
OR
4 ports of 1 Gigabit Ethernet using Duplex LC connector and 62.5 µm
multimode fiber
Product
compatibility
Supported in NS7100, NS7200, NS7300
Front panel LEDs
• Status: Green (Operational), Off (module not initialized)
• Link: Green (port enabled and connected), Off (port link down)
• Activity: Amber (blink amber with stretched pulse as a packet is sent or
received)
• Normal / Bypass: Green (port pair is inline), Off (port pair is in bypass)
Green if configured for any port mode (SPAN, Inline Fail-Closed, Inline
Fail-Open, Tap) and dark if port pair is configured for internal fail-open and is
in bypass mode (during system reboot or when an administrator disables
ports).
Physical
dimensions
• Occupies one I/O module slot in NS-series Chassis
• Dimensions: 1.425 (H) x 4.772 (W) x 5.704 (D) in
• Weight: 1Lb
Environmental
specifications
• Temperature - 0° C to 35° C (operating); -40° C to 70° C (non-operating)
• Altitude - Support operation up to 10,000 feet
• Humidity - 5-90% non condensing (operating); 5-95% non condensing
(non-operating)
30
McAfee Network Security Platform 8.1
Addendum II to 8.1
4
Fail-open operation in Sensors
When a Sensor is deployed inline, it monitors traffic at wire speed and, depending on your policies,
prevents attacks from occurring. However, if the Sensor fails, depending on your configuration, the
Sensor becomes a bump in the wire which results either in no traffic passing through or in all traffic
passing through without being monitored. The former configuration is called inline fail-closed and the
latter configuration is called inline fail-open.
To deploy Sensors in a fail-open configuration, you might require additional hardware which comprises
a compatible fail-open switch, appropriate cables, and depending on which port you want to configure
– SFP, XFP, QSFP, or SFP+ transceiver modules. The only exception to this rule is if you decide to use
the in-built fail-open option available in some Sensor models.
To deploy Sensors in fail-closed configuration, you will not require additional hardware. By default
when enabled, Sensor ports are configured inline fail-closed.
Contents
Evaluation of fail-open modes
Physical description
Types of fail-open
Configure fail-open kits 1 thru 13
Configure fail-open kits 14 thru 22
Deployment scenario
Evaluation of fail-open modes
It all begins with estimating requirements of your organization’s network. If it is paramount to allow
network traffic flow to continue uninterrupted, a fail-open deployment will work best. However, if
security cannot be compromised at any instant, you must choose a fail-close configuration. Both
deployments come with inherent advantages and disadvantages. While a fail-closed setup ensures that
all traffic entering the network is monitored, it results in network outages which may not be favorable
if you host servers which are critical for business in the network. On the other hand, a fail-open setup
ensures that traffic is never interrupted but can result in malicious traffic entering the network during
a Sensor outage. So this is the first choice that you, as a security analyst, need to make.
McAfee Network Security Platform 8.1
Addendum II to 8.1
31
4
Fail-open operation in Sensors
Physical description
Broadly, these are the benefits of choosing a fail-open network architecture.
•
Reduces network downtime to seconds during any Sensor reboot or Sensor failure.
•
Protects your network during link failure on the Sensor.
•
Bypasses the Sensor when troubleshooting network issues. This will help you identify or eliminate
the Sensor as the cause of network issues.
Fail-closed configuration
To configure your network for fail-closed operation, you will simply need to make sure that a port pair
on the Sensor is set to inline fail-closed configuration.
Fail-open configuration
Should you decide to go the fail-open route, you have two options:
•
Internal fail-open – Fail-Open is built into some of the Sensor ports
•
External fail-open – Fail-Open is carried out using external hardware
If you use a Sensor that supports internal fail-open, you simply need to configure the appropriate port
pair for inline fail-open.
If you use a Sensor that supports external fail-open, you will need to make sure you have the
additional hardware necessary for an inline fail-open deployment. Network Security Platform provides
a range of fail-open kits to accommodate diverse requirements. You must purchase a fail-open kit that
best suits your requirements and one that is compatible with your existing network infrastructure. The
primary component in a fail-open kit is the fail-open switch, which can be active or passive.
An active fail-open switch sends a signal to the Sensor at regular intervals and awaits a response. A
response indicates that the Sensor is operating normally. This signal is called a “heartbeat” signal. If
the switch does not receive a response for a set number of signals, it removes the Sensor from the
path of traffic and routes all traffic through its own ports, thereby ensuring continuous traffic flow.
A passive fail-open switch relies on the Sensor to send a electrical signal to determine if the Sensor is
operating normally. If the switch does not receive a signal in a specified period, it removes the Sensor
from the path of network traffic and bypasses the Sensor, routing traffic through its own ports.
A heartbeat signal is a data packet that is sent by the Sensor or by the fail-open switch (depending on
whether it is passive or active). Regardless of whether it is passive or active, a signal is sent at regular
intervals and is used by the fail-open switch to determine operational state of the Sensor. The interval
between each signal varies with the type of fail-open switch you are using.
Physical description
All fail-open switches are provided with four basic ports. Two of these connect to monitoring ports of
the Sensor and while the other two connect to network devices that route traffic to the network.
Active fail-open switches have two power ports for a primary and a secondary power source. They also
have LEDs that show bypass status. Certain models also have LEDs to show utilization threshold
status for each port.
There are several types of fail-open switches that enable you to choose the one that best suits your
requirements. When you make your choice of fail-open kit, be sure to consider the following factors:
•
32
How quickly you need traffic to bypass the Sensor during an outage – Depending on how quickly
you require traffic to bypass a Sensor during an outage, you can decide between an active or a
McAfee Network Security Platform 8.1
Addendum II to 8.1
Fail-open operation in Sensors
Physical description
4
passive fail-open switch and a copper or a fiber fail-open switch. For more details about the
differences between the speed of active switching and passive switching, refer the sections,
•
Passive fail-open switches on page 35 and
•
Active fail-open switches on page 35
•
Distance between the fail-open switch and Sensor – All fail-open switches have an upper limit that
is set by the type of cable used for data transport.
•
Cost – Finding the right balance between cost and your requirements is another factor in
determining the ideal fit for a fail-open switch.
Images below show the front and rear views of an active fiber fail-open switch with SNMP capability.
Figure 4-1 Front view of a 10G active fiber fail-open switch
Callout
Description
1
Display (Shows threshold values, but not present on all models)
2
Status LEDs
3
Network ports – Connects to the ports of the network device
4
Monitor ports – Connects to the monitoring ports of the Sensor
Figure 4-2 Back view of a 10G active fiber fail-open switch
McAfee Network Security Platform 8.1
Addendum II to 8.1
33
4
Fail-open operation in Sensors
Types of fail-open
Callout
Description
1
DB-9 RS232 port
2
Management port (RJ-45)
3
Power inlet ports 1 and 2
Types of fail-open
Internal fail-open
Some Sensor models provide fail-open through their in-built copper ports. Internal fail-open is not
provided through SFPs or through fiber ports of Sensors. Sensor models that provide in-built fail-open
are:
•
I-Series: I-1200, I-1400, and I-2700
•
M-Series: M-1250, M1450, M-2850, and M-2950
•
NS-series: NS7100, NS7200, and NS7300
The M-2850, M-2950, NS7100, NS7200, and NS7300 Sensors can also be connected to an external
fail-open switch. More details of their compatibility with various switch models are provided in the table
in the next section.
External fail-open
Fail-open switches are categorized in several ways. One categorization, as have seen above, is based
on functionality – active or passive. In addition, they are also categorized based on the type of ports
and the corresponding type of cables that connect them to the Sensor and network device – copper or
fiber. Copper and fiber fail-open switches are further categorized based on the maximum throughput
that each model supports. Finally, every fail-open switch optionally has the facility to trigger alarms
and send notifications to an SNMP manager.
While choosing a fail-open switch, you must remember that certain fail-open switches are compatible
only with certain Sensors. The comparison in the tables in upcoming sections will provide details about
which fail-open switches work with which Sensors. These tables contain a Model no. for each fail-open
switch. The rest of the chapter frequently refers to the Model no. of each fail-open kit when explaining
steps to perform various functions.
All active fail-open switches support SNMP traps regardless of whether the switch is copper or fiber. The
switch in such fail-open kits consists of a Management port. This allows you to assign an IP address to
the fail-open switch and establish communication with an SNMP server through the network.
Fiber fail-open switches consist of two types: single mode and multi-mode fibers. The table below
gives you some relevant details about both types of fiber optic fail-open switches. This is especially
relevant because you must determine the type of fiber that is used your organization network before
you decide which type of fail-open switch to use. Also, all product documentation for fail-open kits and
decals on the fail-open switches will repeatedly refer to these parameters.
Table 4-1 Single mode and multi-mode fiber optic fail-open switches
34
Type
Fiber thickness
Wavelength range
Single mode (Long reach)
8.5 µm
1300 nm to 1550 nm
Multi-mode (Short reach)
50 µm or 62.5 µm
850 nm to 1300 nm
McAfee Network Security Platform 8.1
Addendum II to 8.1
4
Fail-open operation in Sensors
Types of fail-open
Passive fail-open switches
A passive fail-open switch depends on the Sensor to send a control signal or heartbeat signal from its
Control port at regular intervals.
A passive copper or fiber fail-open switch receives a control signal every second. If the fail-open
switch does not receive a signal for 4 seconds consecutively, it transitions to bypass mode thereby
removing the Sensor from the path of traffic.
During normal operation, the bypass status of the switch remains OFF. To confirm this, you must see
the Control port LED off on the switch. When the Sensor fails or reboots, bypass status is activated,
which is indicated by the Control port LED coming on. When the fail-open switch is in bypass mode,
there is no traffic monitoring by the Sensor.
Passive fail-open kits are not compatible with NS-series Sensor since NS-series Sensors do not have
control ports. Please refer to the table which lists all fail-open switches and the Sensors with which they
are compatible for those details.
Active fail-open switches
An active fail-open switch sends control signals or heartbeat signals to the Sensor to determine its
operational state. Active fail-open switches are faster than passive fail-open switches in its transition
from normal mode to bypass mode during a Sensor outage.
An active fiber fail-open switch sends a heartbeat signal to the Sensor every millisecond. This signal
returns to the fail-open switch during normal operation. If the fail-open switch does not receive a
response for 10 milliseconds, it transitions to bypass mode thereby removing the Sensor from the
path of traffic.
During normal operation, the bypass status of the switch remains OFF. To confirm this, you must see
the OFF LED on the switch lit up. When the Sensor fails or reboots, bypass status changes to ON,
which is indicated by the ON LED coming on. When the fail-open switch is in bypass mode, there is no
traffic monitoring by the Sensor.
Fail-Open switch models 1 thru 13
Fail-Open switch models 1 thru 13 are compatible with M-Series and NS-series Sensors. The tables in
this section divide the fail-open switches compatible with each type of Sensor model.
This table below shows fail-open switch models 1 thru 13 with all applicable M-Series Sensors.
Table 4-2 M-Series Sensors compatible with fail-open switch models 1 thru 13
Model
no.
Fail-open
switch
SKU
M-2850 M-2950 M-3050 M-4050 M-6050 M-8000
1
Passive
1000Base
IAC-CGFO-KT2
Yes
Yes
Yes
Yes
Yes
Yes
ITV-MMF1-NA-100 Yes
Yes
Yes
Yes
Yes
Yes
-TX/
Copper
2
Passive
1000Base
-SX/
MM Fibre
McAfee Network Security Platform 8.1
Addendum II to 8.1
35
4
Fail-open operation in Sensors
Types of fail-open
Table 4-2 M-Series Sensors compatible with fail-open switch models 1 thru 13 (continued)
Model
no.
Fail-open
switch
SKU
M-2850 M-2950 M-3050 M-4050 M-6050 M-8000
3
Passive
10GBase
IAC-MM62-KT1
No
No
Yes
Yes
Yes
Yes
IAC-MM50-KT1
No
No
Yes
Yes
Yes
Yes
ITV-SMF1-NA-100 Yes
Yes
Yes
Yes
Yes
Yes
IAC-SMGB-KT1
No
No
Yes
Yes
Yes
Yes
IAC-CGAFO-KT2
Yes
Yes
Yes
Yes
Yes
Yes
IAC-CGAFOS-KT2
Yes
Yes
Yes
Yes
Yes
Yes
IAC-62F1-KT7
No
No
Yes
Yes
Yes
Yes
IAC-85F1-KT7
Yes
Yes
Yes
Yes
Yes
Yes
IAC-10FO-850X
No
No
Yes
Yes
Yes
Yes
IAC-10FO-1310
No
No
Yes
Yes
Yes
Yes
No
No
No
No
No
No
- SR/62.5μm
MM Fibre
4
Passive
10GBase
- SR/50μm
MM Fibre
5
Passive
1000Base
-LX/SM Fibre
6
Passive
10GBase
-LR/SM Fibre
7
Active
1000Base
- TX/Copper
8
Active
1000Base
- TX/Copper
with
SNMP
9
Active
1000Base
- SX/62.5μm
MM Fibre
10
Active
1000Base
- LX/8.5μm
SM Fibre
11
Active
10GBase
- SR/MM Fibre
12
Active
10GBase
- LR/SM Fibre
13
Active-Fiber
40G
(8.5 µm, 50
µm, 62.5 µm)
The table below show fail-open switch models 1 thru 13 with all applicable NS-series Sensors.
36
McAfee Network Security Platform 8.1
Addendum II to 8.1
4
Fail-open operation in Sensors
Types of fail-open
Table 4-3 NS-series Sensors compatible with fail-open switch models 1 thru 13
Model no.
Fail-open switch
SKU
NS7x00 NS9x00
1
Passive 1000Base - TX/Copper
IAC-CGFO -KT2
Yes
No
2
Passive 1000Base - SX/MM Fibre
ITV-MMF1 -NA-100
Yes
No
3
Passive 10GBase - SR/62.5μm MM Fibre
IAC-MM62 -KT1
Yes
No
4
Passive 10GBase - SR/50μm MM Fibre
IAC-MM50 -KT1
Yes
No
5
Passive 1000Base - LX/SM Fibre
ITV-SMF1 -NA-100
Yes
No
6
Passive 10GBase - LR/SM Fibre
IAC-SMGB -KT1
Yes
No
7
Active 1000Base - TX/Copper
IAC- CGAFO -KT2
Yes
Yes
8
Active 1000Base - TX/Copper with SNMP
IAC- CGAFOS -KT2
Yes
Yes
9
Active 1000Base - SX/62.5μm MM Fibre
IAC-62F1 -KT7
Yes
Yes
10
Active 1000Base - LX/8.5μm SM Fibre
IAC-85F1 -KT7
Yes
Yes
11
Active 10GBase - SR/MM Fibre
IAC-10FO -850X
Yes
Yes
12
Active 10GBase - LR/SM Fibre
IAC-10FO -1310
Yes
Yes
13
Active-Fiber 40G (8.5 µm, 50 µm, 62.5 µm)
No
Yes
Fail-Open switch models 14 thru 23
Fail-Open switch models 14 thru 23 are compatible with M-Series and NS-series Sensors. The tables in
this section divide the fail-open switches compatible with each type of Sensor model.
The table below shows all M-Series Sensor models and the compatible fail-open switch models 14 thru
23.
Table 4-4 M-Series models compatible with fail-open switch models 14 thru 23
No. Fail-open
switch
SKU
M-2850 M-2950 M-3050 M-4050 M-6050 M-8000
14
IAC-PF85050-KT1
No
No
Yes
Yes
Yes
Yes
IAC-PF85062-KT1
Yes
Yes
Yes
Yes
Yes
Yes
IAC-PF131010-KT1 Yes
Yes
Yes
Yes
Yes
Yes
IAC-PFOCG-KT2
Yes
Yes
Yes
Yes
Yes
Yes
IAC-AF85010-KT1
No
No
Yes
Yes
Yes
Yes
Passive-Fiber
(850 nm)
10G (50 μm)
15
Passive-Fiber
(850 nm)
10/1G (62.5 μm)
16
Passive-Fiber
(1310 nm)
10/1G (8.5 μm)
17
PassiveCopper
10/100/1000
18
Active-Fiber
(850 nm)
10G (62.5 μm)
McAfee Network Security Platform 8.1
Addendum II to 8.1
37
4
Fail-open operation in Sensors
Types of fail-open
Table 4-4 M-Series models compatible with fail-open switch models 14 thru 23 (continued)
No. Fail-open
switch
SKU
19
IAC-AF131010-KT1 No
No
Yes
Yes
Yes
Yes
IAC-AF85062-KT1
Yes
Yes
Yes
Yes
Yes
Yes
IAC-AF131085-KT1 Yes
Yes
Yes
Yes
Yes
Yes
IAC-AFOCG-KT2
Yes
Yes
Yes
Yes
Yes
Yes
IAC-AFOCH-KT2
Yes
Yes
Yes
Yes
Yes
Yes
Active-Fiber
M-2850 M-2950 M-3050 M-4050 M-6050 M-8000
(1310 nm)
10G (8.5 μm)
20
Active-Fiber
(850 nm)
1G (62.5 μm)
21
Active-Fiber
(1310 nm)
1G (8.5 μm)
22
Active
-Copper
10/100/1000
module
23
Active Fail-Open
Chassis
The table below shows all NS-series Sensor models compatible fail-open switches 14 thru 23.
Table 4-5 NS-series models compatible with fail-open switch models 14 thru 23
No.
Fail-open switch
SKU
NS7x00
NS9x00
14
Passive-Fiber
IAC-PF85050-KT1
Yes
No
IAC-PF85062-KT1
Yes
No
IAC-PF131010-KT1
Yes
No
IAC-PFOCG-KT2
Yes
No
IAC-AF85010-KT1
Yes
Yes
IAC-AF131010-KT1
Yes
Yes
(850 nm)
10G (50 μm)
15
Passive-Fiber
(850 nm)
10/1G (62.5 μm)
16
Passive-Fiber
(1310 nm)
10/1G (8.5 μm)
17
PassiveCopper
10/100/1000
18
Active-Fiber
(850 nm)
10G (62.5 μm)
19
Active-Fiber
(1310 nm)
10G (8.5 μm)
38
McAfee Network Security Platform 8.1
Addendum II to 8.1
4
Fail-open operation in Sensors
Types of fail-open
Table 4-5 NS-series models compatible with fail-open switch models 14 thru 23 (continued)
No.
Fail-open switch
SKU
NS7x00
NS9x00
20
Active-Fiber
IAC-AF85062-KT1
Yes
Yes
IAC-AF131085-KT1
Yes
Yes
IAC-AFOCG-KT2
Yes
Yes
IAC-AFOCH-KT2
Yes
Yes
(850 nm)
1G (62.5 μm)
21
Active-Fiber
(1310 nm)
1G (8.5 μm)
22
Active
-Copper
10/100/1000
module
23
Active Fail-Open Chassis
Table 4-6 M-Series Sensors compatible with fail-open switch models 1 thru 13
Model
no.
Fail-open
switch
SKU
M-2850 M-2950 M-3050 M-4050 M-6050 M-8000
1
Passive
1000Base
IAC-CGFO-KT2
Yes
Yes
Yes
Yes
Yes
Yes
ITV-MMF1-NA-100 Yes
Yes
Yes
Yes
Yes
Yes
IAC-MM62-KT1
No
No
Yes
Yes
Yes
Yes
IAC-MM50-KT1
No
No
Yes
Yes
Yes
Yes
ITV-SMF1-NA-100 Yes
Yes
Yes
Yes
Yes
Yes
IAC-SMGB-KT1
No
No
Yes
Yes
Yes
Yes
IAC-CGAFO-KT2
Yes
Yes
Yes
Yes
Yes
Yes
-TX/
Copper
2
Passive
1000Base
-SX/
MM Fibre
3
Passive
10GBase
- SR/62.5μm
MM Fibre
4
Passive
10GBase
- SR/50μm
MM Fibre
5
Passive
1000Base
-LX/SM Fibre
6
Passive
10GBase
-LR/SM Fibre
7
Active
1000Base
- TX/Copper
McAfee Network Security Platform 8.1
Addendum II to 8.1
39
4
Fail-open operation in Sensors
Types of fail-open
Table 4-6 M-Series Sensors compatible with fail-open switch models 1 thru 13 (continued)
Model
no.
Fail-open
switch
SKU
M-2850 M-2950 M-3050 M-4050 M-6050 M-8000
8
Active
1000Base
IAC-CGAFOS-KT2
Yes
Yes
Yes
Yes
Yes
Yes
IAC-62F1-KT7
No
No
Yes
Yes
Yes
Yes
IAC-85F1-KT7
Yes
Yes
Yes
Yes
Yes
Yes
IAC-10FO-850X
No
No
Yes
Yes
Yes
Yes
IAC-10FO-1310
No
No
Yes
Yes
Yes
Yes
No
No
No
No
No
No
- TX/Copper
with
SNMP
9
Active
1000Base
- SX/62.5μm
MM Fibre
10
Active
1000Base
- LX/8.5μm
SM Fibre
11
Active
10GBase
- SR/MM Fibre
12
Active
10GBase
- LR/SM Fibre
13
Active-Fiber
40G
(8.5 µm, 50
µm, 62.5 µm)
This section compares fail-open switch models 1 thru 13 with all applicable NS-series Sensors.
Table 4-7 NS-series Sensors compatible with fail-open switch models 1 thru 13
Model no.
Fail-open switch
SKU
NS7x00
NS9x00
1
Passive 1000Base
IAC-CGFO -KT2
Yes
No
ITV-MMF1 -NA-100
Yes
No
IAC-MM62 -KT1
Yes
No
IAC-MM50 -KT1
Yes
No
ITV-SMF1 -NA-100
Yes
No
IAC-SMGB -KT1
Yes
No
IAC- CGAFO -KT2
Yes
Yes
-TX/Copper
2
Passive 1000Base
-SX/MM Fibre
3
Passive 10GBase
- SR/62.5μm MM Fibre
4
Passive 10GBase
- SR/50μm MM Fibre
5
Passive 1000Base
-LX/SM Fibre
6
Passive 10GBase
-LR/SM Fibre
7
Active 1000Base
- TX/Copper
40
McAfee Network Security Platform 8.1
Addendum II to 8.1
4
Fail-open operation in Sensors
Configure fail-open kits 1 thru 13
Table 4-7 NS-series Sensors compatible with fail-open switch models 1 thru 13 (continued)
Model no.
Fail-open switch
SKU
NS7x00
NS9x00
8
Active 1000Base
IAC- CGAFOS -KT2
Yes
Yes
IAC-62F1 -KT7
Yes
Yes
IAC-85F1 -KT7
Yes
Yes
IAC-10FO -850X
Yes
Yes
IAC-10FO -1310
Yes
Yes
No
Yes
- TX/Copper with SNMP
9
Active 1000Base
- SX/62.5μm
MM Fibre
10
Active 1000Base
- LX/8.5μm SM Fibre
11
Active 10GBase
- SR/MM Fibre
12
Active 10GBase
- LR/SM Fibre
13
Active-Fiber 40G
(8.5 µm, 50 µm, 62.5 µm)
Configure fail-open kits 1 thru 13
Before you begin
For each fail-open configuration, you will need to make sure you have all these
components.
•
Determine the IP address for the fail-open switch or, if you are deploying multiple
switches, a range of IP addresses
•
Determine a network mask and the default gateway for the fail-open switch
•
4 cables to connect the fail-open switch and the Sensor
•
(Optional) A DB-9 RS232 female-female cable to access the fail-open switch CLI
•
2 SFPs, XFPs, or QSFPs for the fail-open switch and 2 SFPs, XFPs, or QSFPs for the
Sensor
•
Cables for a copper fail-open switch
•
•
•
2 CAT5e cables (1 cross-over, 1 straight-through) for network ports
•
2 CAT5e cables (straight-through) for monitor ports
Cables for a fiber fail-open switch
•
2 LC fiber cables for network ports
•
2 LC fiber cables for monitor ports
1 control cable if you are connecting a passive fail-open switch
Broadly, these are the steps you will need to follow to set up a fail-open kit.
McAfee Network Security Platform 8.1
Addendum II to 8.1
41
4
Fail-open operation in Sensors
Configure fail-open kits 1 thru 13
Task
1
Install the fail-open switch.
2
(Optional) Configure bypass switch parameters.
3
(Optional) Configure notification by SNMP traps
4
Cable bypass switch to a Sensor using the appropriate cables.
5
Configure Sensor ports as inline fail-open.
6
(Optional) Use the Web Manager to configure the active fail-open switch settings.
Tasks
•
1. Install the fail-open switch on page 42
•
2. Configure fail-open switch parameters on page 43
•
3. (Optional) Configure notification by SNMP traps on page 44
•
4. Connect the switch to an inline Sensor on page 45
•
5. Deploy a Sensor in inline fail-open mode on page 48
•
6. Use the Web Manager to configure the fail-open switch on page 49
1. Install the fail-open switch
Before you begin
Depending on whether you can physically connect the fail-open switch to a computer using
an RS232 cable, you might consider swapping this step with configuring fail-open switch
parameters.
These steps explain the procedure to install fail-open switch models 1 thru 13.
Task
1
Slide the switch into the opening in the center of the rack-mount panel, until the faceplate of the
switch rests against the panel.
Figure 4-3 Slide the fail-open switch into the rack plate
2
42
Secure the switch to the rack-mount panel by inserting screws through the holes on the switch
faceplate and into the panel.
McAfee Network Security Platform 8.1
Addendum II to 8.1
Fail-open operation in Sensors
Configure fail-open kits 1 thru 13
3
4
4
Install the panel and fail-open switch on the rack.
a
Place the 1U panel against the front of a standard 19-inch rack.
b
Secure the rack-mount panel by inserting the screws (included with the rack-mount panel)
through the holes on front of the panel and the sides of the rack.
Additional fail-open switches can be installed without removing the rack-mount panel from the
rack. To install up to two additional switches:
a
Remove the screws holding one of the removable blank plates from the front of the panel.
b
Follow the procedure for installing a switch in the rack-mount panel for the additional fail-open
switch.
2. Configure fail-open switch parameters
Before you begin
To proceed with this setup you will require:
•
One DB9 RS-232 cable
•
One RJ-45 cable.
The steps below explain the configuration of parameters for your fail-open switch.
Task
1
Connect the applicable cable to the fail-open switch.
2
Connect the other end to a computer which runs a terminal emulation software such as
HyperTerminal or PuTTY.
3
Launch the terminal emulation software, and set the communications parameters as shown below:
4
•
Baud rate: 19200
•
Stop bits: 1
•
Data bits: 8
•
No flow control
•
No parity
Power up the fail-open switch.
The CLI banner and login prompt appear.
McAfee Network Security Platform 8.1
Addendum II to 8.1
43
4
Fail-open operation in Sensors
Configure fail-open kits 1 thru 13
5
At the login prompt, type the username and password, and press Enter.
Table 4-8 Username and password for both sets of fail-open switches
For fail-open switches 1 thru 13
Username
McAfee
Password
McAfee
The fail-open switch CLI prompt appears.
6
Use these commands for fail-open switches 1 thru 13.
Table 4-9 CLI commands for fail-open switch models 1 thru 13
Command
Description
set username <username>
Change the username of the fail-open switch.
set password <password>
Change the password of the fail-open switch.
set time <date & time>
Set the time and date of the fail-open switch in mm/dd/
yyyy-hh:mm:ss.
set ip <ip address>,
Configures the IPv4 address of the fail-open switch.
set mask <mask>
Configures the gateway IPv4 address to be used by the fail-open
switch.
set manager <ip
address>
Configures the SNMP server IPv4 address.
show display
View the state of the web interface.
display
Enable or disable the Web Manager and management port of the
fail-open switch.
The Web Manager enables you to view and manage all settings for
a fail-open switch through a web console using administrator
credentials. The management port enables you to establish
communication between the fail-open switch and SNMP manager.
You can enable or disable this view and the management port
depending on your preferences. The default state in set to ON.
show set
Displays the current settings for the fail-open switch.
3. (Optional) Configure notification by SNMP traps
Before you begin
44
•
To configure SNMP traps, you will require a server that will act as an SNMP server. The
SNMP server can be any Windows or Linux system installed with an MIB browser such
as iReasoning. To view requirements and download a copy of iReasoning MIB browser,
follow the link: http://ireasoning.com/mibbrowser.shtml
•
Make sure your fail-open switch IP address can be reached within the network.
•
Make sure your SNMP server and fail-open switch are able to communicate.
•
In addition, you will need to obtain MIB files to decode alert codes sent by the fail-open
switch. These files are specific to the fail-open switch and can be obtained by contacting
Technical Support.
•
You will require the RJ-45 cable.
McAfee Network Security Platform 8.1
Addendum II to 8.1
Fail-open operation in Sensors
Configure fail-open kits 1 thru 13
4
Task
1
Connect an RJ-45 cable to the Management Port at the back of the fail-open switch.
2
Connect the other end to a network device so that the SNMP server is reachable through the
network.
3
Copy the fail-open switch MIB files to a suitable location on the SNMP server.
When any of the following events occur, an SNMP trap is generated:
•
Utilization exceeds the threshold on any port (Only for models 1 thru 13)
•
Bypass state changes
•
Any port link status changes
•
Either power supply state changes
4
Set up the fail-open switch IP address, network mask, and SNMP manager IP address using the
commands provided in section, Configure the fail-open switch parameters.
5
Make sure the SNMP manager and fail-open switch are able to communicate.
Configuration of SNMP traps is complete when you can see a trap appear in the MIB browser.
4. Connect the switch to an inline Sensor
After you have secured the fail-open switch in its rack, use copper or fiber connecting cables to
connect the switch with the Sensor. The underlying principle in connecting these cables is to connect
the Sensor and the switch such that traffic gets routed through the fail-open switch in case of a
Sensor outage.
Regardless of the Sensor and fail-open kit models, the connections remain the same. The only
difference between the connections for the active and the passive fail-open kits is that you must
connect the switch to the Sensor control ports in a passive fail-open deployment.
McAfee Network Security Platform 8.1
Addendum II to 8.1
45
4
Fail-open operation in Sensors
Configure fail-open kits 1 thru 13
If you are using an active fail-open kit, you will require four cables in all.
Figure 4-4 Active fail-open switch connections
Figure 4-5 Passive fail-open switch connections
46
McAfee Network Security Platform 8.1
Addendum II to 8.1
Fail-open operation in Sensors
Configure fail-open kits 1 thru 13
4
If you are using a passive fail-open kit, you will require five cables. One of these cables is the RJ-45 to
RJ-11 cable which is used to connect the Console port in the fail-open switch with the Monitor port in
the Sensor.
You require the RS-232 cable and RJ-45 cable if you plan to configure the SNMP manager.
Task
1
If you are connecting a passive fail-open switch, connect the RJ-11 connector of the Control cable
to the Control port of the fail-open switch and the RJ-45 connector of the Control cable to a Control
port on the Sensor (X2 in the illustration). If you are connecting an active fail-open switch, proceed
to step 3.
This cable is used to transport control signals from the Sensor to the fail-open switch. When the
fail-open switch does not receive four consecutive control signals (about 4 seconds), it changes to
bypass mode.
Each Sensor Control port is used in conjunction with a corresponding port pair. To know which port
pair corresponds to which Control port, refer to the section, Ports on the Sensor in the Sensor
Product Guide for that model.
2
Connect the GBIC port or RJ-45 port on your network device to Network Port A of the fail-open
switch.
3
Insert an SFP or XFP (depending on your Sensor model) into each of the slots of one of the unused
port pairs on your Sensor. We will use port pair 2A-2B for this illustration.
You will need to make sure you use corresponding ports in a single port pair. For example, you can
only use 2A and 2B and not 1A and 2A or 2A and 1B. This is because the ports are internally wired
to function as a pair.
4
Connect Monitor port A on the fail-open switch to port 2A on the Sensor.
5
Connect Monitor port B on the fail-open switch to port 2B on the Sensor.
6
Connect the network device that carries traffic into the network to Network port B on the fail-open
switch.
This completes the connections between the Sensor and fail-open switch. The link lights may not come
on as yet if the Sensor is not yet deployed inline.
McAfee Network Security Platform 8.1
Addendum II to 8.1
47
4
Fail-open operation in Sensors
Configure fail-open kits 1 thru 13
5. Deploy a Sensor in inline fail-open mode
Before you begin
A Sensor which
•
Is set up and has established trust with a Manager
•
Has a free port pair that can be deployed in inline fail-open configuration
•
SFPs or XFPs, depending on the Sensor model and fail-open switch model
The steps below assume you are using an M-Series Sensor when selecting ports.
Figure 4-6 Configuration of a port pair for inline fail-open active operation
To configure a fail-open switch you must configure the port pair to operate as an inline fail-open port.
Task
1
After cabling the Sensor and the fail-open switch, log on to your Manager.
2
Go to Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical Ports.
3
Double-click port 1A.
A configuration window appears on the right side of the window.
4
Click the State drop-down and select Enabled.
This enables port 1A-1B.
5
Select the Auto Negotiate checkbox and make sure the Speed (Duplex) is set to 1 Gbps (Full).
6
Click the Mode drop-down and select In-line Fail-Open.
This means port pair 1A-1B is now configured for inline fail-open.
48
McAfee Network Security Platform 8.1
Addendum II to 8.1
Fail-open operation in Sensors
Configure fail-open kits 1 thru 13
7
4
Click the Placement drop-down and select Inside Network or Outside Network, depending on how you want
to configure your ports.
Placement refers to the area of the network which that individual port is connected.
8
Click the Response Port drop-down and select the right port that you want to assign.
For an inline fail-open or fail-closed setup, you can configure the same port to be the response
port.
9
Click Save.
If traffic is passing through the ports, you will notice the port link status changes to Up and goes
green.
6. Use the Web Manager to configure the fail-open switch
Besides using CLI commands, you can view and configure fail-open switch settings for an active
fail-open switch through a web console called the Web Manager. You can restrict or permit access to
the Web Manager depending on your preferences.
The web interface for fail-open switch models 1 thru 13 allows you to manage the following functions:
•
Configuration of general fail-open switch parameters such as IPv4 address, subnet mask, and
gateway IPv4 address.
•
Enable tap mode for the fail-open switch
•
Return from tap mode to inline mode
•
Configuration of notifications through SNMP traps
Follow these steps to access the Web Manager.
Task
1
Open a browser such as Internet Explorer or Chrome.
2
In the address bar, enter the fail-open switch IP address.
You will be prompted for the username and password.
3
Enter the username and password. The default username and password are McAfee.
4
Submit credentials.
McAfee Network Security Platform 8.1
Addendum II to 8.1
49
4
Fail-open operation in Sensors
Configure fail-open kits 14 thru 22
The Web Manager appears where you can modify the fail-open switch parameters.
Figure 4-7 Web Manager page - Upper half
Configure fail-open kits 14 thru 22
Before you begin
For each fail-open configuration, you will need to make sure you have all these
components.
50
•
Determine the IP address for the fail-open switch or, if you are deploying multiple
switches, a range of IP addresses
•
Determine a network mask and the default gateway for the fail-open switch
•
4 cables to connect the fail-open switch and the Sensor
•
(Optional) An RJ-11 RS232 cable to access the fail-open switch CLI
•
2 SFPs, XFPs, or SFP+s for the Sensor
McAfee Network Security Platform 8.1
Addendum II to 8.1
Fail-open operation in Sensors
Configure fail-open kits 14 thru 22
•
•
•
4
Cables for a copper fail-open switch
•
2 CAT5e cables (1 cross-over, 1 straight-through) for network ports
•
2 CAT5e cables (straight-through) for monitor ports
Cables for a fiber fail-open switch
•
2 LC fiber cables for network ports
•
2 LC fiber cables for monitor ports
1 control cable if you are connecting a passive fail-open switch
Broadly, these are the steps you will need to follow to set up a fail-open kit.
Task
1
Install the fail-open switch.
2
(Optional) Configure bypass switch parameters.
3
(Optional) Configure notification by SNMP traps.
4
Cable bypass switch to a Sensor using the appropriate cables.
5
Configure Sensor ports as inline fail-open.
6
Use the web interface to configure the active fail-open switch.
Tasks
•
1. Install the fail-open switch module in the chassis on page 51
•
2. Remove an active fail-open switch from the chassis on page 52
•
3. Configure fail-open switch parameters on page 53
•
4. (Optional) Configure notification by SNMP traps on page 55
•
5. Connect the switch to an inline Sensor on page 56
•
6. Deploy a Sensor in inline fail-open mode on page 59
•
7. Use the web interface to configure the fail-open switch on page 60
1. Install the fail-open switch module in the chassis
Before you begin
•
Identify the rack in which you plan to install the fail-open chassis.
•
If you are using a physical Sensor, make sure that you are able to physically connect the
chassis with the monitoring ports.
These steps explain the procedure to install fail-open switch models 18 thru 22 in the active fail-open
chassis (model 23). You can install up to four fail-open switches in a single chassis. If you are
installing fail-open switch models 1 thru 17, refer to the section, 1. Install the fail-open switch on page
42
McAfee Network Security Platform 8.1
Addendum II to 8.1
51
4
Fail-open operation in Sensors
Configure fail-open kits 14 thru 22
Task
1
Install the ears of the chassis.
2
Slide the switch into one of the openings in the chassis, until the face plate of the switch rests
against the chassis.
3
Secure the switch to the chassis by inserting screws provided through the holes on the fail-open
switch face plate and into the panel.
4
Place the 1U chassis against the front of a standard 19-inch rack.
5
Secure the chassis by inserting screws through holes on ears of the chassis.
6
(Optional) Install up to three additional switches by following these steps:
a
Remove screws holding each of the removable blank plates from the front of the chassis.
b
Follow steps 1 and 2 of this procedure for installing a switch in the chassis for additional
fail-open switches.
The fail-open switch is ready to be connected to a Sensor.
2. Remove an active fail-open switch from the chassis
Before you begin
You must make sure the fail-open switch is fully powered off before you attempt to remove
it from the chassis.
Follow the steps in this section to power off and remove the fail-open switch.
52
McAfee Network Security Platform 8.1
Addendum II to 8.1
Fail-open operation in Sensors
Configure fail-open kits 14 thru 22
4
Task
1
2
Power off the fail-open switch using the web interface or CLI command prompt.
•
If you are using the web interface, click the Rescue tab and check the Power Off checkbox in the
System Restore section. To access the web interface, refer Access the fail-open switch web
interface.
•
If you are using the CLI command prompt, type power_off and press Enter. To access the CLI
command prompt, refer Configure fail-open switch parameters.
When the fail-open switch is powered off, remove the captive screws and slide it out of the chassis.
3. Configure fail-open switch parameters
Before you begin
To proceed with this setup you will require:
•
One RJ-11 RS-232 cable
•
One RJ-45 cable.
The steps below explain the configuration of parameters for your fail-open switch.
Task
1
Connect the applicable cable to the fail-open switch.
2
Connect the other end to a computer which runs a terminal emulation software such as
HyperTerminal or PuTTY.
3
Launch the terminal emulation software, and set the communications parameters as shown below:
4
•
Baud rate: 9600
•
Stop bits: 1
•
Data bits: 8
•
No flow control
•
No parity
Power up the fail-open switch.
The CLI banner and login prompt appear.
McAfee Network Security Platform 8.1
Addendum II to 8.1
53
4
Fail-open operation in Sensors
Configure fail-open kits 14 thru 22
5
At the login prompt, type the username and password, and press Enter.
Table 4-10 Username and password for both sets of fail-open switches
For fail-open switches 14 thru 22
Username
McAfee00
Password
McAfee00
The fail-open switch CLI prompt appears.
6
Use these commands for fail-open switch models 14 thru 22.
Table 4-11 CLI commands for fail-open switch models 1 thru 13
Command
Description
set_ip xxx.xxx.xxx.xxx
Configures fail-open switch IPv4 address.
Reboot the fail-open switch for the new IPv4 address to take
effect.
get_ip
Displays fail-open switch IPv4 address.
set_netmask xxx.xxx.xxx.xxx Configures fail-open switch subnet mask.
Reboot the fail-open switch for the new subnet mask to take
effect.
get_netmask
Displays fail-open switch subnet mask.
set_gateway xxx.xxx.xxx.xxx Configures default gateway IPv4 address.
Reboot the fail-open switch for the new gateway IPv4 address
to take effect.
get_gateway
set_link <port> <on/off>
Displays default gateway address.
Sets the port of a 1G Copper fail-open switch to auto-negotiate.
For the <port> use mon0, mon1, net0, or net1.
get_link <port>
Displays port status.
For the <port> use mon0, mon1, net0, or net1.
set_link <port> off fd 100m Sets the port to 100 Mbps full-duplex.
For the <port> use the syntaxes specified above.
set_link <port> <enable/
disable>_autoneg
Sets the port of a 1G Fiber fail-open switch to auto-negotiate.
For the <port> use mon0, mon1, net0, or net1.
10G Fiber fail-open switches do not have such a command
since auto-negotiate is enabled by default.
set_ssh_state <on/off>
Enables or disables the SSH status on the fail-open switch.
get_ssh_state
Displays the SSH status, which is enabled by default.
set_web_https_state <on/
off>
Enables or disables web access to the fail-open switch interface.
get_web_https_state
Displays status of web access to the fail-open switch interface.
set_snmp_srv_ip
Configures SNMP server IPv4 address.
The SNMP server IPv4 address can also be set in the web
interface.
get_snmp_srv_ip
54
McAfee Network Security Platform 8.1
Displays the SNMP server IPv4 address.
Addendum II to 8.1
Fail-open operation in Sensors
Configure fail-open kits 14 thru 22
4
Table 4-11 CLI commands for fail-open switch models 1 thru 13 (continued)
Command
Description
set_trap <parameter> <on/
off>
Enables or disables the following SNMP traps:
get_params
• appl fail – Application state
change.
• net link – Network port
state change trap.
• bypass – Bypass state
change trap.
• error – Error notification
trap.
• mon link – Monitoring port
state change trap.
• update – Update complete
trap.
Displays fail-open switch parameters.
4. (Optional) Configure notification by SNMP traps
Before you begin
•
To configure SNMP traps, you will require a server that will act as an SNMP server. The
SNMP server can be any Windows or Linux system installed with an MIB browser such
as iReasoning. To view requirements and download a copy of iReasoning MIB browser,
follow the link: http://ireasoning.com/mibbrowser.shtml
•
Make sure your fail-open switch IP address can be reached within the network.
•
Make sure your SNMP server and fail-open switch are able to communicate.
•
In addition, you will need to obtain MIB files to decode alert codes sent by the fail-open
switch. These files are specific to the fail-open switch and can be obtained by contacting
Technical Support.
•
You will require the RJ-45 cable.
Task
1
Connect an RJ-45 cable to the Management Port at the back of the fail-open switch.
2
Connect the other end to a network device so that the SNMP server is reachable through the
network.
3
Copy the fail-open switch MIB files to a suitable location on the SNMP server.
When any of the following events occur, an SNMP trap is generated:
•
Utilization exceeds the threshold on any port (Only for models 1 thru 13)
•
Bypass state changes
•
Any port link status changes
•
Either power supply state changes
4
Set up the fail-open switch IP address, network mask, and SNMP manager IP address using the
commands provided in section, Configure the fail-open switch parameters.
5
Make sure the SNMP manager and fail-open switch are able to communicate.
Configuration of SNMP traps is complete when you can see a trap appear in the MIB browser.
McAfee Network Security Platform 8.1
Addendum II to 8.1
55
4
Fail-open operation in Sensors
Configure fail-open kits 14 thru 22
5. Connect the switch to an inline Sensor
After you have secured the fail-open switch in its rack, use copper or fiber connecting cables to
connect the switch with the Sensor. The underlying principle in connecting these cables is to connect
the Sensor and the switch such that traffic gets routed through the fail-open switch in case of a
Sensor outage.
Regardless of the Sensor and fail-open kit models, the connections remain the same. The only
difference between the connections for the active and the passive fail-open kits is that you must
connect the switch to the Sensor control ports in a passive fail-open deployment.
56
McAfee Network Security Platform 8.1
Addendum II to 8.1
Fail-open operation in Sensors
Configure fail-open kits 14 thru 22
4
If you are using an active fail-open kit, you will require four cables in all.
Figure 4-8 Active fail-open switch connections
Figure 4-9 Passive fail-open switch connections
McAfee Network Security Platform 8.1
Addendum II to 8.1
57
4
Fail-open operation in Sensors
Configure fail-open kits 14 thru 22
If you are using a passive fail-open kit, you will require five cables. One of these cables is the RJ-45 to
RJ-11 cable which is used to connect the Console port in the fail-open switch with the Monitor port in
the Sensor.
You require the RS-232 cable and RJ-45 cable if you plan to configure the SNMP manager.
Task
1
If you are connecting a passive fail-open switch, connect the RJ-11 connector of the Control cable
to the Control port of the fail-open switch and the RJ-45 connector of the Control cable to a Control
port on the Sensor (X2 in the illustration). If you are connecting an active fail-open switch, proceed
to step 3.
This cable is used to transport control signals from the Sensor to the fail-open switch. When the
fail-open switch does not receive four consecutive control signals (about 4 seconds), it changes to
bypass mode.
Each Sensor Control port is used in conjunction with a corresponding port pair. To know which port
pair corresponds to which Control port, refer to the section, Ports on the Sensor in the Sensor
Product Guide for that model.
2
Connect the GBIC port or RJ-45 port on your network device to Network Port A of the fail-open
switch.
3
Insert an SFP or XFP (depending on your Sensor model) into each of the slots of one of the unused
port pairs on your Sensor. We will use port pair 2A-2B for this illustration.
You will need to make sure you use corresponding ports in a single port pair. For example, you can
only use 2A and 2B and not 1A and 2A or 2A and 1B. This is because the ports are internally wired
to function as a pair.
4
Connect Monitor port A on the fail-open switch to port 2A on the Sensor.
5
Connect Monitor port B on the fail-open switch to port 2B on the Sensor.
6
Connect the network device that carries traffic into the network to Network port B on the fail-open
switch.
This completes the connections between the Sensor and fail-open switch. The link lights may not come
on as yet if the Sensor is not yet deployed inline.
58
McAfee Network Security Platform 8.1
Addendum II to 8.1
Fail-open operation in Sensors
Configure fail-open kits 14 thru 22
4
6. Deploy a Sensor in inline fail-open mode
Before you begin
A Sensor which
•
Is set up and has established trust with a Manager
•
Has a free port pair that can be deployed in inline fail-open configuration
•
SFPs or XFPs, depending on the Sensor model and fail-open switch model
The steps below assume you are using an M-Series Sensor when selecting ports.
Figure 4-10 Configuration of a port pair for inline fail-open active operation
To configure a fail-open switch you must configure the port pair to operate as an inline fail-open port.
Task
1
After cabling the Sensor and the fail-open switch, log on to your Manager.
2
Go to Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical Ports.
3
Double-click port 1A.
A configuration window appears on the right side of the window.
4
Click the State drop-down and select Enabled.
This enables port 1A-1B.
5
Select the Auto Negotiate checkbox and make sure the Speed (Duplex) is set to 1 Gbps (Full).
6
Click the Mode drop-down and select In-line Fail-Open.
This means port pair 1A-1B is now configured for inline fail-open.
McAfee Network Security Platform 8.1
Addendum II to 8.1
59
4
Fail-open operation in Sensors
Configure fail-open kits 14 thru 22
7
Click the Placement drop-down and select Inside Network or Outside Network, depending on how you want
to configure your ports.
Placement refers to the area of the network which that individual port is connected.
8
Click the Response Port drop-down and select the right port that you want to assign.
For an inline fail-open or fail-closed setup, you can configure the same port to be the response
port.
9
Click Save.
If traffic is passing through the ports, you will notice the port link status changes to Up and goes
green.
7. Use the web interface to configure the fail-open switch
Besides using CLI commands, you can view and configure fail-open switch settings for an active
fail-open switch through a web console.
The web interface for fail-open switch models 14 thru 22 allows you to manage the following
functions:
•
Configuration of general fail-open switch parameters such as IPv4 address, subnet mask, and
gateway IPv4 address.
•
Enable tap mode for the fail-open switch
•
Return from tap mode to inline mode
•
Configuration of notifications through SNMP traps
The next section explains the steps for each of these management options.
Tasks
•
Access the fail-open switch web interface on page 60
•
Enable tap mode for the fail-open switch on page 61
Access the fail-open switch web interface
If you have configured an IPv4 address for your active fail-open switch, you have the option to
manage it through a web-interface.
Task
1
To access the fail-open switch web interface, enter the IPv4 address of the fail-open switch which
you have configured.
The fail-open switch web interface appears on the log on screen.
2
To log on, enter the default username and password, McAfee00 and McAfee00.
You are routed to the fail-open web interface landing page which shows you information about the
present settings configured in the fail-open switch. Configuration of necessary settings is explained in
the relevant sections.
60
McAfee Network Security Platform 8.1
Addendum II to 8.1
Fail-open operation in Sensors
Configure fail-open kits 14 thru 22
4
Callout Description
1
Active state of the fail-open switch. In the picture, it is inline which means the Sensor is
operating normally. This changes to bypass the Sensor monitoring ports go down.
2
Power status of the fail-open switch sources 1 and 2.
3
General information section of the fail-open switch.
4
Information about the ports of the fail-open switch.
Enable tap mode for the fail-open switch
Before you begin
•
Configure an IPv4 address for your fail-open switch.
•
Make sure you can access the fail-open switch web-interface using a web browser.
You are able to enable tap mode for your active fail-open switch if you use a tap to route network
traffic to the Sensor Monitoring ports.
Task
1
Log on to the web interface of the active fail-open switch.
Use default credentials to access the web interface.
2
Click the Bypass tab to access the Bypass configuration page.
3
Click the HB active mode drop down menu and select Off.
McAfee Network Security Platform 8.1
Addendum II to 8.1
61
4
Fail-open operation in Sensors
Deployment scenario
4
In the Active bypass section, select tap.
5
Click Apply to save your configuration.
You have set your active fail-open to tap mode of operation.
Deployment scenario
Since we have looked at the steps to set up a fail-open switch and deploy it, we’ll go through a
scenario to see how the setup works. We will cover configuration steps at a high level without listing
each step. For more detailed steps on any section, refer to sections above.
The deployment uses the following software and hardware equipment:
62
•
10G 50 µm optical active fail-open switch with SNMP (This switch requires two power adapters and
two XFPs that support an LC Fiber cable).
•
M-3050 Sensor, with two 10G XFPs, that has one of its port pairs deployed inline fail-open.
•
Windows Server 2008 or 2013 computer installed with iReasoning MIB browser.
•
Cables for connecting the various devices.
•
Terminal emulation software such as HyperTerminal or PuTTy. We will be using PuTTy for this
deployment.
McAfee Network Security Platform 8.1
Addendum II to 8.1
Fail-open operation in Sensors
Deployment scenario
•
•
4
Make note of these parameters that you will while setting up fail-open switch parameters.
•
Baud rate: 19200 bits per second
•
Stop bits: 1
•
Data bits: 8
•
No flow control
•
No parity
•
Username and password: McAfee
Fail-open switch MIBs to decode SNMP traps from a 10G active fail-open switch. If you do not have
MIBs with you, contact Technical Support.
Setup the fail-open switch and Sensor
Begin by configuring parameters for the fail-open switch and then connecting it to an inline Sensor.
This setup does not have the provision to connect an RS232 cable to a Windows PC after it has been
installed in a rack, so the parameters for the fail-open switch will first be set up.
Task
1
Connect one end of the RS-232 cable to the fail-open switch.
2
Connect the other end of the RS232 cable to the Windows computer.
3
Connect the power cables to the ports at the back of the fail-open switch.
4
Open PuTTy and click Serial.
5
Enter Speed as 19,200 which is the baud rate for a fail-open switch.
6
Click Open.
The fail-open switch CLI interface appears.
7
Use administrator credentials to log on to the fail-open switch.
You are provided access to the fail-open switch command prompt.
8
To set up the fail-open switch IP address, type set ip 10.213.174.1 and press Enter.
When selecting an IP address, make sure you are able to reach the SNMP server that you intend to
set up.
9
To set up the network mask, type set mask 255.255.255.0 and press Enter.
10 To set up the default gateway, type set gateway 10.213.174.252 and press Enter.
11 To set up the SNMP manager IP address, type set manager 10.213.174.252 and press Enter.
12 After you have set up fail-open switch parameters, unplug the RS232 cable and power cables.
13 Install the fail-open switch in the rack in a way that you are able to connect it to the Sensor.
14 Gently insert the XFPs into the slots in the front of the fail-open switch.
15 Connect the LC Fiber cables between the fail-open switch and the Sensor as represented in Fig. XX.
16 Connect an RJ-45 cable to the Management Port on the back of the fail-open switch.
17 Connect the power cables back to the fail-open switch.
McAfee Network Security Platform 8.1
Addendum II to 8.1
63
4
Fail-open operation in Sensors
Deployment scenario
18 Configure port pair 1A-1B as In-line Fail-Open – Active.
19 Click Save.
The link lights on the fail-open switch and Sensor ports must come on to indicate that the fail-open
switch has been set up.
Verify the setup
These steps show you how you test the setup for its bypass capability and SNMP traps.
Task
1
To test the fail-open configuration, reboot the Sensor.
As soon as the switch shifts from normal mode to bypass mode, the Bypass LED changes from OFF
to ON.
2
On a Windows PC, open the iReasoning MIB browser.
3
Click File | Load MIBs.
A pop-up window appears.
4
Locate the MIB file for the 10G active fail-open kit and click Open.
The MIB is loaded.
5
Unplug one of the power cables from the fail-open switch.
6
In the Address field enter the IP address of the fail-open switch, 10.100.169.20 and click Go.
You will notice an SNMP trap appear in the list.
64
McAfee Network Security Platform 8.1
Addendum II to 8.1
Index
I
Introducing McAfee Network Security Platform 5
McAfee Network Security Platform 8.1
Addendum II to 8.1
65
0B00
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement