August 2012 Threat Prevention Team Restricted ONLY for designated groups and individuals Agenda 1 Feature Highlights Feature Description 2 Installation Overview 3 Traffic loss scenarios in case of failure ID: 910505
Download Presentation The PPT/PDF document "Bypass Support Feature Overview" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Bypass SupportFeature Overview
August 2012Threat Prevention Team
[Restricted] ONLY for designated groups and individuals
Slide2Agenda
1
Feature Highlights
Feature Description
2
Installation
Overview
3
Traffic loss scenarios in case of failure
4
[Restricted] ONLY for designated groups and individuals
Notes
5
Slide3Project Goals
Feature Highlights
Providing
network bypass capabilities
upon software or hardware failure
Target Release Date
September 30
th
2012, R75.40 on GAIA
Related Product
IPS
DLP
APPI, URLF
AB & AV
Supported Bypass Cards
1GbE Copper, 4
port
1GbE
SFP,
4 Port (short and long range)
10GbE
SFP
+,
2 Port (short and long range)
4200
4400
4600
4800
12200
12400
12600
[Restricted] ONLY for designated groups and individuals
Slide4Feature Description
[Restricted] ONLY for designated groups and individuals
The
internal bypass card is to ensure that network traffic continues to flow if the appliance fails or loses
power
.
This
feature is only supported for Gaia in a non-cluster configuration
. Bypass Card
Architecture
The appliance enters Bypass Mode if one of the following occurs:There is a power loss.The appliance is overloaded, it enters bypass mode for at least 1 minute.
There is a system failure, it enters bypass mode for at least 5 minutes.
The appliance stops responding for 60 seconds.
Slide5Bypass Card Installation Overview
Install the
Bypass card in the appliance.
Install
the R75.40 bypass hotfix on the
appliance
.Use the Gaia WebUI to enable and configure it
.Configure the appliance in SmartDashboard.Install the policy and reboot the appliance.[Restricted] ONLY for designated groups and individuals
Specific
Installation Instructions will be provided with an SK for this Hotfix.
Slide6Traffic loss scenarios in case of failure
When the Bypass card return from fail-open state, there could be a delay of 15-40 seconds before the link is re-established.
The
delay is due to Linux Bridge forwarding mechanism to allow
STP Protocol
(running on Switches) enough time for
listening and learning the network topology and block switch ports in case a loop is identified.This is an expected behavior for Bypass cards solutions.A possible way to reduce the delay is to configure the switches not use auto
negotiation.There exist some workarounds for the delay (for example disable STP on the interface ports of your switch or enable Port-fast in spanning tree settings). However, this may cause severe impact to network behavior and should be carefully considered. [Restricted] ONLY for designated groups and individuals
Slide7Limitations
Only for non-clustering Environments.The following features will not be supported:HTTPS Inspection.
Anti Spam.
Traditional Anti-Virus in proactive mode.
FTP Inspection for DLP SW Blade
.
Header Spoofing Protection for IPS SW Blade.If one
of the following features is enabled, severe network issues could result.[Restricted] ONLY for designated groups and individuals
Slide8Notes
In order to have access to the machine during bypass state, It is required to use the dedicated management interface on the appliance.
[Restricted] ONLY for designated groups and individuals