10G/40G Active Fail-Open Bypass Kit Guide

McAfee Network Security Platform IPS Sensors, when deployed in-line, route all incoming traffic through a designated port pair. However, at times a Sensor might need to be turned off for maintenance or its ports can go down because of an outage. At times like this, you might want to continue allowing traffic to pass through without interruption. For such requirements, you can consider an external device called a Fail-Open module. The Fail-Open module can either be an active Fail-Open module or a passive Fail-Open module.

An active Fail-Open module constantly monitors Sensor state. It does this by sending a heartbeat packet through its ports. The heartbeat packet is sent through the one of the Monitoring ports and received through the other, indicating that the Sensor is functioning normally.

This document describes the contents and how to install and use the McAfee® 10/40 Gigabit Active Fail-Open Bypass Kit (the Kit) for McAfee Network Security Sensors. The 10/40 Gigabit monitoring ports on the Sensor are, by default, fail-closed; thus, if the Sensor is deployed in-line, a hardware failure results in network downtime. Fail-open operation for the monitoring ports requires the use of an optional external Active Fail-Open module provided in the Kit.

During normal Sensor in-line fail-open operation, the Active Fail-Open Kit sends a heartbeat packet for every 50 milliseconds by default (user configurable), to the monitoring port pair. If the Active Fail-Open Kit does not receive 6 heartbeat signals within its programmed interval (300 milliseconds by default; user configurable), the Active Fail-Open kit goes into bypass mode, which removes the Sensor from the traffic path, providing continuous end-to-end data flow but without Inspection.

The Active Fail-Open module, by default, is configured to work in the Active/in-line Switching Mode, where the traffic between the public and private networks is routed through the Sensor. Typically, traffic flows from the Public Network to Port NET0 (network in) and then will be actively transferred by the Active Fail-Open module to Port MON0 (appliance in) and routed through the in-line appliance to Port MON1 (appliance out). Active switching will then route the data through Port NET1 and out to the Private Network. This Mode can operate in reverse as well, with traffic routing from a Private to Public Network.

In split TAP mode the ingress traffic into NET0 is mirrored to MON0 while being passed to NET1. At the same time ingress traffic to NET1 is mirrored to MON1 and passed to NET0. The bidirectional traffic passing from the public network to the private network can be monitored by an appliance with a dual NIC.

When the Sensor fails, the switch automatically shifts to a bypass state: in-line traffic continues to flow through the network link, but is no longer routed through the Sensor. In the Bypass Mode, the traffic is routed through a closed loop from port NET0 (network in) to port NET1 (network out) and bypasses the Sensor so that it goes directly from the public network to the private network. This mode can operate in reverse as well, with traffic routing from a private to public Network.

Once the Sensor resumes normal operation, the switch returns to the "On" state, again enabling in-line monitoring.

The external active bypass enables plug and play connectivity, includes an auto heartbeat and does not require additional drivers to be installed on any connected appliance. The Active Fail-Open module has one I/O channel, supports one appliance, and provides the following features:

  • Secure Web Management Interface (using HTTPS)
  • CLI access via Serial Console or SSH
  • SNMPv3 support

Hardware description

The Active Fail-Open chassis supports both 10G and 40G modules. You can install a maximum of three modules in any combination of 10G and 40G modules. For example, you can install two 10G modules and one 40G module, all three 10G modules, all three 40G modules, and so on.

  • 10G modules are supported on NS5x00, NS7x00, NS7x50, NS7500, NS9x00, and NS9500 Sensor models.
  • 40G modules are supported on NS9x00 and NS9500 Sensor models.

Front panel

  1. Ethernet management port (1)
  2. RS232(RJ45) Console Port(1)
  3. USB Port (1)
  4. 10G-SR module
  5. 40G-BiDi (Multi Mode)
  6. 10G-LR module

Chassis LEDs

  1. Power LEDs (PS1 and PS2)
  2. System Status LEDs (Sys Ok, Sys Up, and ALM)
  3. Management Port Activity
  4. Management Port Link
  5. Console Port (RS232) Activity
  6. Console Port (RS232) Link
  7. Module Power LEDs (M1, M2, and M3)

10G Fail-Open module LEDs

  1. Heartbeat (HB). Blinks green when heartbeats are sent out.
  2. Bypass / Inline mode. Green color denotes inline mode and amber color denotes bypass mode.
Note: This is an image of 10G Long Range (LR) Fail-Open module. Similar LEDs are present in the 10G Short Range (SR) Fail-Open module.

40G Fail-Open module LEDs

  1. Inline Mode
  2. Non Inline Mode (Bypass/Tap/Disconnect)
  3. Heartbeat (HB)
  4. Heartbeat Expiration (HB Exp)
Note: This is an image of 40G Long Range (LR4) Fail-Open module. Similar LEDs are present in the 40G Short Range (SR4) and 40G BiDi Fail-Open modules.

Rear panel

  1. Fan units (4)
  2. Power supply 1/2
  3. LED on the Power Supply Unit
    • Power switched on - Solid Green
    • Standby - Blinking Green
    • Power Fail - Solid Red
    • Internal Fan Fail (any of the 4 Fans) - Blinking Red