40 Gigabit Active Fail-Open Bypass Kit Guide

McAfee Network Security Platform IPS Sensors, when deployed in-line, route all incoming traffic through a designated port pair. However, at times a Sensor might need to be turned off for maintenance or its ports can go down because of an outage. At times like this, you might want to continue allowing traffic to pass through without interruption. For such requirements, you can consider an external device called a Fail-Open module. The Fail-Open module can either be an active Fail-Open module or a passive Fail-Open module.

An active Fail-Open module constantly monitors Sensor state. It does this by sending a heartbeat packet through its ports. The heartbeat packet is sent through the one of the Monitoring ports and received through the other, indicating that the Sensor is functioning normally.

This document describes the contents and how to install and use the McAfee® 40 Gigabit Active Fail-Open Bypass Kit (the Kit) for McAfee Network Security Sensor (Sensor) NS9x00 models with standard 40 Gigabit QSFP+ monitoring ports.

The 40 Gigabit monitoring ports on the Sensor are, by default, fail-closed; thus, if the Sensor is deployed in-line, a hardware failure results in network downtime. Fail-open operation for the monitoring ports requires the use of an optional external Active Fail-Open module provided in the Kit.

During normal Sensor in-line fail-open operation, the Active Fail-Open Kit sends a heartbeat packet (1 every millisecond by default, user configurable) to the monitoring port pair. If the Active Fail-Open Kit does not receive 5 heart beat signals (5 millisecond by default; user configurable) within its programmed interval, the Active Fail-Open kit goes into bypass mode, which removes the Sensor from the traffic path, providing continuous end-to-end data flow but without Inspection.

The Active Fail-Open module, by default, is configured to work in the Active/in-line Switching Mode, where the traffic between the public and private networks is routed through the Sensor. Typically, traffic flows from the Public Network to Port NET0 (network in) and will then will be actively transferred by the Active Fail-Open module to Port MON0 (appliance in) and routed through the in-line appliance to Port MON1 (appliance out). Active switching will then route the data through Port NET1 and out to the Private Network. This Mode can operate in reverse as well, with traffic routing from a Private to Public Network.

In split TAP mode the ingress traffic into NET0 is mirrored to MON0 while being passed to NET1. At the same time ingress traffic to NET1 is mirrored to MON1 and passed to NET0. The bidirectional traffic passing from the public network to the private network can be monitored by an appliance with a dual NIC.

When the Sensor fails, the switch automatically shifts to a bypass state: in-line traffic continues to flow through the network link, but is no longer routed through the Sensor. In the Bypass Mode, the traffic is routed through a closed loop from port NET0 (network in) to port NET1 (network out) and bypasses the Sensor so that it goes directly from the public network to the private network. This mode can operate in reverse as well, with traffic routing from a private to public Network.

Once the Sensor resumes normal operation, the switch returns to the "On" state, again enabling in-line monitoring.

The external active bypass enables plug and play connectivity, includes an auto heartbeat and does not require additional drivers to be installed on any connected appliance. The Active Fail-Open module has one I/O channel, supports one appliance, and provides the following features:

  • Secure Web Management Interface (using HTTPS)
  • CLI access via Serial Console or SSH
  • SNMPv3 support

Hardware description

Front panel



  • Ethernet management port (1)
  • RS232(RJ45) Console Port(1)
  • USB Port (1)
  • 40G Fail-Open modules Ports with Hot Swappable QSFP+ Transceivers (2)
    • 40G-SR4 (Multi Mode)
    • 40G-BiDi (Multi Mode)

LED Section A: chassis LEDs

  • Power LEDs (PS1 and PS2)
  • System Status LEDs (Sys Ok, Sys Up, and ALM)
  • Management Port Activity/Link
  • Console Port (RS232) Activity/Link
  • Module Power LEDs (M1, M2, and M3)

LED Section B: 40G Fail-Open module LEDs

  • Inline Mode
  • Non Inline Mode (Bypass/Tap/Disconnect)
  • Heart beat (HB)
  • Heartbeat Expiration (HB Exp)

Rear panel



  • Power supply 1
  • Power supply 2
  • Fan units (4)

LED on the Power Supply Unit

  • Power switched on - Solid Green
  • Standby - Blinking Green
  • Power Fail - Solid Red.
  • Internal Fan Fail (any of the 4 Fans) - Blinking Red.