40 Gigabit Active Fail-Open Bypass Kit Guide

This document describes the contents and how to install and use the McAfee® 40 Gigabit Active Fail-Open Bypass Kit (the Kit) for McAfee Network Security Sensor (Sensor) NS-series models with standard 40 Gigabit QSFP+ monitoring ports.

The 40 Gigabit monitoring ports on the Sensor are, by default, fail-closed; thus, if the Sensor is deployed in-line, a hardware failure results in network downtime. Fail-open operation for the monitoring ports requires the use of an optional external Bypass Switch provided in the Kit.

During normal Sensor in-line fail-open operation, the Active Fail-Open Kit sends a heartbeat signal (1 every millisecond) to the monitoring port pair. If the Active Fail-Open Kit does not receive 10 heart beat signals within its programmed interval, the Active Fail-Open kit removes the Sensor's monitoring port pair from the data path, and moves the Sensor into the bypass mode, providing continuous data flow.

When the Sensor is operating, the switch is "On" and routes all traffic directly through the Sensor.

The Bypass Switch, by default, is configured to work in the Active/in-line Switching Mode, where the traffic between the public and private networks is routed through the Sensor. Typically, traffic flows from the Public Network to Port N1 (network in) and will then will be actively transferred by the Bypass Switch to Port A1 (appliance in) and routed through the in-line appliance to Port A2 (appliance out). Active switching will then route the data through Port N2 and out to the Private Network. This Mode can operate in reverse as well, with traffic routing from a Private to Public Network.

In split TAP mode the ingress traffic into N1 is mirrored to A1 while being passed to N2. At the same time ingress traffic to N2 is mirrored to A2 and passed to N1. The bidirectional traffic passing from the public network to the private network can be monitored by an appliance with a dual NIC.

When the Sensor fails, the switch automatically shifts to a bypass state: in-line traffic continues to flow through the network link, but is no longer routed through the Sensor. In the Bypass Switching Mode, the traffic is routed through a closed loop from port N1 (network in) to port N2 (network out) and bypasses the Sensor so that it goes directly from the public network to the private network. This mode can operate in reverse as well, with traffic routing from a private to public Network.

Once the Sensor resumes normal operation, the switch returns to the "On" state, again enabling in-line monitoring.

The external active bypass enables plug and play connectivity, includes an auto heartbeat and does not require additional drivers to be installed on any connected appliance. The Bypass Switch has one I/O channel, supports one appliance, and provides the following features:

  • Secure Web Management Interface (using HTTPS)
  • CLI by serial console
  • SSH
  • SNMPv3 support