100 Gigabit Modular Active Fail-Open Bypass Kit Guide McAfee Network Security Platform IPS Sensors, when deployed in-line, route all incoming traffic through a designated port pair. However, at times a Sensor might need to be turned off for maintenance or its ports can go down because of an outage. At times like this, you might want to continue allowing traffic to pass through without interruption. For such requirements, you can consider an external device called a Fail-Open module. The Fail-Open module can either be an Active Fail-Open module or a Passive Fail-Open module. An Active Fail-Open module constantly monitors Sensor state. It does this by sending a heartbeat packet through its ports. The heartbeat packet is sent through one of the monitoring ports and received through the other, indicating that the Sensor is functioning normally. This document describes the contents and how to install and use the McAfee® 100 Gigabit Active Fail-Open Bypass Kit (the Kit) for McAfee Network Security Sensor (Sensor) NS9500 model with standard 100 Gigabit QSFP28 monitoring ports. The 100 Gigabit monitoring ports on the Sensor are, by default, fail-closed; thus, if the Sensor is deployed in-line, a hardware failure results in network downtime. Fail-open operation for the monitoring ports requires the use of an optional external Active Fail-Open module provided in the kit. During normal Sensor in-line fail-open operation, the Active Fail-Open Kit sends a heartbeat packet (every 3 milliseconds by default, user configurable) to the monitoring port pair. If the Active Fail-Open Kit does not receive 3 heartbeat signals (10 milliseconds by default; user configurable) within its programmed interval, the Active Fail-Open kit goes into bypass mode, which removes the Sensor from the traffic path, providing continuous end-to-end data flow but without inspection. The Active Fail-Open module, by default, is configured to work in the Active/in-line Switching Mode, where the traffic between the public and private networks is routed through the Sensor. Typically, traffic flows from the Public Network to Port NET0 (network in) and will then be actively transferred by the Active Fail-Open module to Port MON0 (appliance in) and routed through the in-line appliance to Port MON1 (appliance out). Active switching will then route the data through Port NET1 and out to the Private Network. This Mode can operate in reverse as well, with traffic routing from a Private to Public Network. In split TAP mode the ingress traffic into NET0 is mirrored to MON0 while being passed to NET1. At the same time ingress traffic to NET1 is mirrored to MON1 and passed to NET0. The bidirectional traffic passing from the public network to the private network can be monitored by an appliance with a dual NIC. When the Sensor fails, the switch automatically shifts to a bypass state: in-line traffic continues to flow through the network link but is no longer routed through the Sensor. In the Bypass Mode, the traffic is routed through a closed loop from port NET0 (network in) to port NET1 (network out) and bypasses the Sensor so that it goes directly from the public network to the private network. This mode can operate in reverse as well, with traffic routing from a private to public Network. Once the Sensor resumes normal operation, the switch returns to the "On" state, again enabling in-line monitoring. The external active bypass enables plug and play connectivity, includes an auto heartbeat, and does not require additional drivers to be installed on any connected appliance. The Active Fail-Open module has one I/O channel, supports one appliance, and provides the following features: Secure Web Management Interface (using HTTPS) CLI access via Serial Console or SSH Supports SNMP version 1, 2c, 3 (SHA, AES) Hardware description Front panel Ethernet management port (1) RS232 (RJ45) Console Port(1) USB Port (1) 100G Fail-Open modules Ports with Hot Swappable QSFP28 Transceivers (2) 100G-LR4 (Single Mode) 100G-SR4 (Multi Mode) LED Section A: chassis LEDs Power LEDs (PS1 and PS2) Power on: Solid green Power off: Off System Status LEDs (Sys Ok, Sys Up, and ALM) Sys Ok: System in normal operation condition: Solid green Identifying a rack: Blinking green Sys Up: System initialization during power-up and shutdown: Solid yellow System fully up: Off ALM: System alarm on: Solid red System alarm off: Off Management Port Activity Management Port Link Console Port (RS232) Activity Console Port (RS232) Link Module Power LEDs (M1 and M2) Module (M1/ M2) is inserted and active: Solid green Module (M1/ M2) is not inserted: Off LED Section B: 100G Fail-Open module LEDs LED Parameter Description 1 Heart beat (HB) Active Heart beat : Blinking green Inactive Heart beat: Off 2 3 4 5 Net 0 (Link/ Activity) Net 1 (Link/ Activity) Mon 1 (Link/ Activity) Mon 0 (Link/ Activity) Up and no traffic: Solid green Up and with traffic: Blinking green Down: Off 6 Bypass/ Inline (BP/INL) System in Inline mode: Solid green System in Bypass/ TAP mode: Solid yellow Bypass Module 100G-SR4 (Multi Mode) 100G-LR4 (Single Mode) Rear panel Fan units (4) LED on the Power Supply Unit Power switched on - Solid green Standby - Blinking green Power fail - Solid red Internal fan failure (any of the 4 fans) - Blinking red Power supply 1/2 Install the Active Fail-Open module and chassisConnections with the Fail-Open moduleConfigure 100G Active Fail-Open chassis parametersConfigure Sensor Monitoring PortsManage the Active Fail-Open module through a web interfaceEnable tap mode for the Active Fail-Open moduleConfigure notification by SNMP trapsVerify your installationReboot, Halt, or Reset an Active Fail-Open moduleUpgrade Active Fail-Open softwareTroubleshootingCLI Commands
100 Gigabit Modular Active Fail-Open Bypass Kit Guide McAfee Network Security Platform IPS Sensors, when deployed in-line, route all incoming traffic through a designated port pair. However, at times a Sensor might need to be turned off for maintenance or its ports can go down because of an outage. At times like this, you might want to continue allowing traffic to pass through without interruption. For such requirements, you can consider an external device called a Fail-Open module. The Fail-Open module can either be an Active Fail-Open module or a Passive Fail-Open module. An Active Fail-Open module constantly monitors Sensor state. It does this by sending a heartbeat packet through its ports. The heartbeat packet is sent through one of the monitoring ports and received through the other, indicating that the Sensor is functioning normally. This document describes the contents and how to install and use the McAfee® 100 Gigabit Active Fail-Open Bypass Kit (the Kit) for McAfee Network Security Sensor (Sensor) NS9500 model with standard 100 Gigabit QSFP28 monitoring ports. The 100 Gigabit monitoring ports on the Sensor are, by default, fail-closed; thus, if the Sensor is deployed in-line, a hardware failure results in network downtime. Fail-open operation for the monitoring ports requires the use of an optional external Active Fail-Open module provided in the kit. During normal Sensor in-line fail-open operation, the Active Fail-Open Kit sends a heartbeat packet (every 3 milliseconds by default, user configurable) to the monitoring port pair. If the Active Fail-Open Kit does not receive 3 heartbeat signals (10 milliseconds by default; user configurable) within its programmed interval, the Active Fail-Open kit goes into bypass mode, which removes the Sensor from the traffic path, providing continuous end-to-end data flow but without inspection. The Active Fail-Open module, by default, is configured to work in the Active/in-line Switching Mode, where the traffic between the public and private networks is routed through the Sensor. Typically, traffic flows from the Public Network to Port NET0 (network in) and will then be actively transferred by the Active Fail-Open module to Port MON0 (appliance in) and routed through the in-line appliance to Port MON1 (appliance out). Active switching will then route the data through Port NET1 and out to the Private Network. This Mode can operate in reverse as well, with traffic routing from a Private to Public Network. In split TAP mode the ingress traffic into NET0 is mirrored to MON0 while being passed to NET1. At the same time ingress traffic to NET1 is mirrored to MON1 and passed to NET0. The bidirectional traffic passing from the public network to the private network can be monitored by an appliance with a dual NIC. When the Sensor fails, the switch automatically shifts to a bypass state: in-line traffic continues to flow through the network link but is no longer routed through the Sensor. In the Bypass Mode, the traffic is routed through a closed loop from port NET0 (network in) to port NET1 (network out) and bypasses the Sensor so that it goes directly from the public network to the private network. This mode can operate in reverse as well, with traffic routing from a private to public Network. Once the Sensor resumes normal operation, the switch returns to the "On" state, again enabling in-line monitoring. The external active bypass enables plug and play connectivity, includes an auto heartbeat, and does not require additional drivers to be installed on any connected appliance. The Active Fail-Open module has one I/O channel, supports one appliance, and provides the following features: Secure Web Management Interface (using HTTPS) CLI access via Serial Console or SSH Supports SNMP version 1, 2c, 3 (SHA, AES) Hardware description Front panel Ethernet management port (1) RS232 (RJ45) Console Port(1) USB Port (1) 100G Fail-Open modules Ports with Hot Swappable QSFP28 Transceivers (2) 100G-LR4 (Single Mode) 100G-SR4 (Multi Mode) LED Section A: chassis LEDs Power LEDs (PS1 and PS2) Power on: Solid green Power off: Off System Status LEDs (Sys Ok, Sys Up, and ALM) Sys Ok: System in normal operation condition: Solid green Identifying a rack: Blinking green Sys Up: System initialization during power-up and shutdown: Solid yellow System fully up: Off ALM: System alarm on: Solid red System alarm off: Off Management Port Activity Management Port Link Console Port (RS232) Activity Console Port (RS232) Link Module Power LEDs (M1 and M2) Module (M1/ M2) is inserted and active: Solid green Module (M1/ M2) is not inserted: Off LED Section B: 100G Fail-Open module LEDs LED Parameter Description 1 Heart beat (HB) Active Heart beat : Blinking green Inactive Heart beat: Off 2 3 4 5 Net 0 (Link/ Activity) Net 1 (Link/ Activity) Mon 1 (Link/ Activity) Mon 0 (Link/ Activity) Up and no traffic: Solid green Up and with traffic: Blinking green Down: Off 6 Bypass/ Inline (BP/INL) System in Inline mode: Solid green System in Bypass/ TAP mode: Solid yellow Bypass Module 100G-SR4 (Multi Mode) 100G-LR4 (Single Mode) Rear panel Fan units (4) LED on the Power Supply Unit Power switched on - Solid green Standby - Blinking green Power fail - Solid red Internal fan failure (any of the 4 fans) - Blinking red Power supply 1/2 Install the Active Fail-Open module and chassisConnections with the Fail-Open moduleConfigure 100G Active Fail-Open chassis parametersConfigure Sensor Monitoring PortsManage the Active Fail-Open module through a web interfaceEnable tap mode for the Active Fail-Open moduleConfigure notification by SNMP trapsVerify your installationReboot, Halt, or Reset an Active Fail-Open moduleUpgrade Active Fail-Open softwareTroubleshootingCLI Commands