Network Security Platform 40 Gigabit Active Fail

Network Security Platform 40 Gigabit Active Fail
40 Gigabit Active Fail-Open Bypass Kit Guide
Revision B
McAfee Network Security Platform
This document describes the contents and how to install and use the McAfee® 40 Gigabit Active Fail-Open
Bypass Kit (the Kit) for McAfee Network Security Sensor (Sensor) NS-series models with standard 40
Gigabit QSFP+ monitoring ports.
The 40 Gigabit monitoring ports on the Sensor are, by default, fail-closed; thus, if the Sensor is deployed
in-line, a hardware failure results in network downtime. Fail-open operation for the monitoring ports
requires the use of an optional external Bypass Switch provided in the Kit.
During normal Sensor in-line fail-open operation, the Active Fail-Open Kit sends a heartbeat signal (1
every millisecond) to the monitoring port pair. If the Active Fail-Open Kit does not receive 10 heart beat
signals within its programmed interval, the Active Fail-Open kit removes the Sensor's monitoring port pair
from the data path, and moves the Sensor into the bypass mode, providing continuous data flow.
When the Sensor is operating, the switch is "On" and routes all traffic directly through the Sensor.
The Bypass Switch, by default, is configured to work in the Active/in-line Switching Mode, where the
traffic between the public and private networks is routed through the Sensor. Typically, traffic flows from
the Public Network to Port N1 (network in) and will then will be actively transferred by the Bypass Switch
to Port A1 (appliance in) and routed through the in-line appliance to Port A2 (appliance out). Active
switching will then route the data through Port N2 and out to the Private Network. This Mode can operate
in reverse as well, with traffic routing from a Private to Public Network.
In split TAP mode the ingress traffic into N1 is mirrored to A1 while being passed to N2. At the same time
ingress traffic to N2 is mirrored to A2 and passed to N1. The bidirectional traffic passing from the public
network to the private network can be monitored by an appliance with a dual NIC.
When the Sensor fails, the switch automatically shifts to a bypass state: in-line traffic continues to flow
through the network link, but is no longer routed through the Sensor. In the Bypass Switching Mode,
the traffic is routed through a closed loop from port N1 (network in) to port N2 (network out) and
bypasses the Sensor so that it goes directly from the public network to the private network. This mode
can operate in reverse as well, with traffic routing from a private to public Network.
Once the Sensor resumes normal operation, the switch returns to the "On" state, again enabling in-line
monitoring.
1
The external active bypass enables plug and play connectivity, includes an auto heartbeat and does not
require additional drivers to be installed on any connected appliance. The Bypass Switch has one I/O
channel, supports one appliance, and provides the following features:
•
Secure Web Management Interface (using HTTPS)
•
CLI by serial console
•
SSH
•
SNMPv3 support
1
Hardware description
Front panel
•
Ethernet management port (1)
•
RJ Connector (1)
•
Link and Activity LEDs for power
•
40G network ports (2)
•
Activity LEDs for network ports
•
Inline LED
•
40G appliance ports, with hot swappable QSFP+ modules (2)
•
Link and Activity LEDs for appliance ports
The table below describes the behavior of the LED color to the speed in which the data ports
detected the QSFP+ modules or established a link.
Speed
Color
Activity
Link
Port Type
40G
Red
N/A
Solid
Appliance
Rear panel
2
•
Power supply 1
•
Power supply 2
•
Fan units (4)
The Bypass Switch provides two redundant power supply inputs to minimize the chance of power loss
or failure.
In addition, the Bypass Switch continuously monitors the power supply voltage to detect any
instance of power decline or outage. If a power failure is detected, Power Fail Protection Operation is
triggered, which initiates a switch to Bypass Mode. During this no power state, the N1 and N2 ports
will physically connect to create a passive bypass path without any traffic interruption between port
N1 and port N2.
2
Connect the Fail-Open Bypass Switch to a Sensor
Connecting the Fail-Open Bypass Switch involves the following.
a
Ear mount the Fail-Open Bypass Switch.
b
Insert the QSFP+ transceiver modules into the 40 G Appliance ports (A1 and A2).
c
Plug an RJ45 ethernet cable into the management port on the front panel of the Switch.
d
Plug the other end of the cable into the network device connected with the management server.
e
Plug a serial cable into the console port on the front panel of the Switch.
f
Connect the other end of the Console port cable directly to a COM port of the PC or terminal
server you will be using to configure the Switch.
g
Plug an inside network cable connector into the Network port labeled N1 on the Bypass Switch.
h
Plug the other end of this cable into the corresponding network device.
i
Plug an outside network cable into the Network port labeled N2 on the Bypass Switch.
j
Plug the other end of this cable into the corresponding network device.
k
Plug a LC fiber cable (inside) into the monitoring port of the Sensor.
l
Plug the other end of the cable into the appliance port labeled A1 on the Bypass Switch.
m
Plug a LC fiber cable (outside) into the corresponding peer port.
3
(For example, if you used 1 in step 1, plug the cable into port 2)
n
Plug the other end of the cable into the appliance port labeled A2 on the Bypass Switch.
With this cable configuration, Sensor monitoring port 1 views traffic as originating
inside the network, and port 2 views traffic as originating outside the network. Note
that this configuration (1 = outside, 2 = inside) must match the port configuration
specified for this Sensor, and that the ports must be enabled. For more information, on
Port configuration accomplished via the Manager, see McAfee Network Security Platform
Device Administration Guide.
3
Set the Fail-Open Bypass Switch parameters
You can access the command line interface through the console port (serial terminal emulator) and
through web based management via a secure HTTPS connection on the management port (SSH
remote shell emulator).
a
Ensure the power to the Bypass Switch is Off.
b
Using a DB-9 RS232 programming cable, connect a PC that is running the HyperTerminal to the
Bypass Switch.
c
Launch the HyperTerminal and set the following communication parameters.
d
•
Bits per second: 115200
•
Stop: 1
•
Data bits: 8
•
Flow Control: None
•
Parity: None
Click OK. The CLI banner and login prompt are displayed.
The default Username and Password are McAfee. The password is configurable.
e
f
4
Configure the following:
a
Set the DHCP static IP using the command, set dhcp static.
b
Set the Switch IP using the command, set ip.
c
Set the Gateway and the Mask using the commands, set gw and set mask respectively.
To view the Switch configurations use the get command.
Configure the Sensor monitoring ports in the Active Fail-Open mode
You configure the Sensor monitoring ports from the Manager interface. The port configuration must
match the cabling of the switch, the ports must be set to "In-line Fail-open Active (Port Pair)" and
must be enabled.
4
a
In the Manager interface, select Device List | Sensor_Name | Physical Device | Port Settings.
b
Click a numbered port (for example G1/1) from monitoring ports.
The Configure Monitoring Port window displays current port settings.
c
In the Port Configuration, do the following.
a
Enable the check box Use Only McAfee Certified QSFP+.
d
Select the Administrative Status to Enable (On).
e
Select the Operating Mode as In-line Fail-open Active (Port Pair).
f
The message "Are the Active Fail-open Kit connected?" Select Yes that you have already
connected the Bypass Switch.
g
Select the area of your network to which the current port is connected: Inside (internal) or
Outside (external)
h
Click OK.
i
Open the Bypass Switch HyperTerminal session.
j
Repeat steps 1-8 for any other ports you need to configure.
For more information on configuring monitoring ports, see McAfee Network Security Platform
Device Administration Guide.
k
5
Download the changes to your Sensor.
Verify proper installation
Once the Bypass Switch has been connected to the network and the Sensor, check the switch's
status LED to verify that the switch is receiving power from the power adaptors and check the port
status and operating mode status in the Sensor interface to ensure that the port is enabled and in
in-line fail-open active mode.
5
Status LED on the Bypass Switch
Item Description
1
The Power LED indicates whether one or two power connections are detected by the unit. A
solid green LED indicates that it is connected and a solid red LED indicates that nothing is
connected.
2
The Inline LED located underneath the activity LEDs of the network ports indicates the state
of the bypass segment. The LED is green in the inline mode and off when the switch is in the
bypass mode.
3
The activity LEDs for the network ports are red when data is transferring and off when the
network connection is lost.
Port and Operation mode status
The port status and operating mode status for in-line fail-open mode are as follows.
LED
Port Color on the Sensor
Operation mode status
Gigabit Ports Link
Green
The link is connected.
Off
The link is disconnected.
Amber
Data transferring.
Off
No data transferring.
Gigabit Ports Act
6
Access the Fail-open Bypass Switch Web Management Interface
You can access the web management interface over a secure HTTPS connection (https://<IP
address>).
Log on to the web interface with the Username and Password, McAfee. The password is
configurable.
The status page appears with the status of the Fail-Open Bypass Switch.
6
Select Segment A on the left side menu to view the configurations of the Fail-Open Bypass Switch.
7
Configure the Fail-Open Bypass Switch in tap mode
To configure the Bypass Switch in tap mode perform the following steps.
a
Type set tap_mode on the CLI command prompt.
b
Type 1 to set the tap mode On or 0 to set the tap mode Off.
OR
7
Log on to the web management interface and select Segment A on the left menu. Set the Operation
Mode as Tap and click Save.
You can configure the Bypass Switch to tap mode only using CLI. Tap mode cannot be
set using the Manager.
To verify if the connection is in tap mode, navigate to Device List | Sensor_Name | Physical Device | Port
Settings and in the corresponding port pair TAP is displayed.
In the Operating Mode, In-line Fail-open Active (Port Pair) is displayed.
8
Troubleshooting
Moving from bypass mode back to in-line mode
Moving from bypass mode back to in-line mode involves the following.
Manual Sensor reboot
Certain normal Sensor activity involves a reboot, such as installation of a new Sensor software image
or a manual reboot issued from the Manager. If the Sensor reboots during normal activity, no manual
intervention is necessary. When the switch receives power from the power adaptor and a heartbeat
signal from the Sensor, it sends traffic through the Sensor and the Sensor resumes monitoring traffic
in in-line mode.
Sensor Error
If the Sensor reboots due to internal error, hardware failure, removal of the Optical Bypass Switch
during normal operation or, disruption of the Sensor or the Optical Bypass switch cables during
Sensor operation, the monitoring ports connected to the Optical Bypass Switch are automatically
enabled once Sensor resumes monitoring traffic in in-line mode.
What happens in a Sensor failure?
When a Sensor fails with the bypass kit in place, the following events occur in the order shown.
8
1
The Manager reports a "Sensor in bad health" or "Port pair is in bypass mode" error in the
Operational Status window.
2
The Sensor reboots and the optical bypass switch begins forwarding traffic. All traffic then
bypasses the Sensor and flows across the optical bypass switch with minimal traffic disruption.
3
Upon reboot completion, the optical bypass switch resumes its heartbeat, and one of the
following occurs:
4
a
If the reboot happened during normal activity as described above, the optical bypass switch
resumes passing data through the Sensor once the Sensor returns to in-line mode.
b
If the reboot occurred due to an error, the optical bypass switch will continue to bypass the
Sensor until the Sensor ports are re-enabled automatically. Once the ports are re-enabled,
the optical bypass switch resumes passing data through the Sensor and the Sensor returns
to in-line mode.
The errors on the Manager are cleared and normal health is reported.
Common Problems and Solutions
This section lists some common installation problems and their solutions.
Problem
Possible Cause
Solution
Network or link
problems.
Improper cabling or port
configuration.
Ensure that the transmit and receive
cables are properly connected to the
optical bypass switch.
Sensor LED is off.
The Sensor is powered off.
Restore Sensor power.
The Sensor port cable is
disconnected.
Check the Sensor cable connections.
Network device cables have
been disconnected.
Check the cables and ensure they are
properly connected to both the network
devices and the optical bypass switch.
Sensor is operational,
but is not monitoring
traffic.
The Sensor ports have not
been enabled in the Sensor.
Ports are disabled on a Sensor failure;
they must be re-enabled in the Manager
for the Sensor monitoring to resume.
The optical bypass
switch power LEDs are
off.
If the power LEDs do not
illuminate on the bypass
switch, it indicates that either
the power supply is not
connected or it is not
functioning.
Check the connection of the power supply
in the optical bypass switch. It indicates
that either the power supply is not
connected or it is not functioning.
Runts or giants errors
on switch and routers.
Improper cabling or port
configuration.
Ensure that the transmit and receive
cables are properly connected to the
optical bypass switch.
The system fault
Improper cabling.
"Switch absent" appears
on the operational
status page of the
Manager.
Ensure that the transmit and receive
cables are properly connected to the
optical bypass switch.
9
10
11
Copyright © 2016 McAfee, Inc. www.intelsecurity.com
Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/
registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
12
700-4152-B00
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertisement