The 10/100/1000 passive fail-open bypass kit (the kit) minimizes the potential risks of in-line Network Security Sensor (Sensor) failure on critical network links.
The 10/100/1000 monitoring ports on Sensors are fail-closed; thus, if the Sensor is
deployed in-line, a hardware failure results in network downtime. Fail-open operation for GE ports requires the use of the optional external bypass switch provided in the kit.
With the bypass switch in place, normal Sensor operation supplies power to the switch via a control cable. While the Sensor is operating, the switch is “on” and routes all traffic directly through the Sensor. When the Sensor fails, the switch automatically shifts to a bypass state: in-line traffic continues to flow through the network link, but is no longer routed through the Sensor. After the Sensor resumes normal operation, the switch returns to the “on” state, and again enabling in-line monitoring.
The kit contains a bypass switch and all the connectivity components to connect the switch to the GE monitoring ports of any Sensor model, and to connect a control cable between the Sensor and the switch. Additional cables may be required to connect the bypass switch to your other network devices (routers, switches), and you may not require all the components included in the kit (for example, you will use only one of the two types of control cable included in the kit).
This document describes the contents of the kit; how to install the kit for all Sensor models with 10/100/1000 ports, or small form-factor pluggable (SFP) ports; how the kit functions; and what to expect during normal use.
1
Kit contents
The following external hardware is shipped with the Copper Fail-Open Kit:
Qty Item Description
1 Gigabit fail-open Bypass Switch
1000Base-T switch; connects to the GE ports of all Sensor models either directly through the Sensor's built-in control port.
1 19-inch rack-mount panel for 3 switches
1RU mounting hardware to mount up to three Bypass Switches in a standard rack
10/100/1000 Copper Passive Fail-open Bypass Kit Guide
Revision C
Qty Item Description 4 3-meter RJ45 - RJ45
cables
Connects the Bypass Switch to the peer network device and to the Sensor
1 3-meter RJ45 - RJ11 cable
Connects the Bypass Switch to a built-in Sensor Fail-Open Control port .
Depending on the Sensor model and port type, certain Sensor ports have built-in corresponding Fail-Open Control ports.
2
Connecting the Fail-Open Kit to a Sensor
The Bypass Switch connects to any Sensor model with Gigabit Ethernet (GE) ports; and the physical connection differs by Sensor model and port pair, as explained in this section.
Connecting the switch to Sensors with SFP ports
Connect the switch to any of the M-series Sensor model. For example, the M-3050/M-4050 Sensors each have eight SFP GE monitoring ports (four pairs), and each model supports up to four kits. Fail-open switch connected to ports 3A-3B
This diagram shows a switch connected to one of the first four port pairs; thus the switch is controlled via the corresponding Fail-Open Control port, X1.
Item Description
1 Fail-Open Bypass Switch
2 Fail-Open Control Ports (RJ11 connection)
3 Control port on Bypass Switch (RJ45 connection) 4 RJ45 - RJ11 cable
5 Connection to network device 6 Connection to network device
7 PTx/SRx (inside) connection to port 3A of the Sensor (copper SFP) 8 STx/PRx (outside) connection to port 3B of the Sensor (copper SFP)
3
Installing the Bypass Switch on a rack
You can install between one and three Bypass Switches onto the Bypass Switch rack-mount panel. The rack-mount panel described in this section is included in the Fail-Open Kit.
This procedure is optional; if you do not wish to install the Bypass Switch on a rack, you may set the switch directly on top of the Sensor or another network device.
Install the switch on the rack-mount panel
a Slide the switch into the center opening in the rack-mount panel, until the faceplate of the switch rests against the panel.
b Secure the switch to the rack-mount panel by inserting the screws through the holes on the switch faceplate and into the panel.
Additional Bypass Switches can be installed without removing the rack-mount panel from the rack.
To install up to two additional switches:
1 Remove the screws holding one of the removable blank plates from the front of the panel.
2 Follow the procedure for installing a switch in the rack-mount panel for the additional Bypass Switch(es).
Install the panel and switch(es) on a rack
a Place the 1U panel against the front of a standard 19-inch rack.
b Secure the rack-mount panel by inserting the screws (included with the rack-mount panel) through the holes on front of the panel and the sides of the rack.
4
Installing the fail-open bypass switch
To accurately detect attacks, the Sensor must be aware of which traffic is outside the network and which traffic is inside. Identifying traffic direction is accomplished via proper cabling of the Bypass Switch as well as proper port configuration of the Sensor Monitoring ports in the McAfee® Network
Security Manager (Manager).
For information on how to configure Sensor ports via the Manager, see McAfee Network
Security Platform IPS Administration Guide.
In addition to the RJ45 Control port, the Fail-Open Module has four RJ45 connectivity ports.The two on the left have A and B labels above the ports and a Network label below the port. These connect to your network devices.
The two on the right have A and B labels above the ports and a Monitor label below the port. These connect to the Sensor.
Field Description 1 To Sensor Fail-Open Control port.
2 To Network Device (inside) 3 To Network Device (outside)
4 PTx/SRx - inside (plugs into Sensor port xA) 5 STx/PRx - outside (plugs into Sensor port xB)
Connecting the Bypass Switch to a Network Device
a Plug an inside network cable connector into the Network port labeled A on the bypass switch.
b Plug the other end of this cable into the corresponding network device.
c Plug an outside network cable into the Network port labeled B on the bypass switch.
d Plug the other end of this cable into the corresponding network device. Connecting the Bypass Switch to a Sensor with SFP ports
a Plug a Cat 5/Cat 5e Ethernet cable (inside) into the copper SFP in port xA, where x is 1-6.
b Plug the other end of the cable into the Monitor port labeled A of the bypass switch.
c Plug a Cat 5/Cat 5e Ethernet cable (outside) into the corresponding xB peer port. (For example, if you used 2A in step 1, plug the cable into port 2B).
d Plug the other end of the cable into the Monitor port labeled B of the bypass switch.
With this cable configuration, Sensor Monitoring port 1A views traffic as originating
inside the network, and port 1B views traffic as originating outside the network. Note that this configuration (1A = outside, 1B = inside) must match the port configuration
specified for this Sensor, and that the ports must be enabled. For more information, on Port configuration accomplished via Manager, see McAfee Network Security Platform IPS
Administration Guide.
Configuring the Sensor Monitoring Ports
You configure the Sensor's monitoring ports from the McAfee® Network Security Manager (Manager)
interface. The port configuration must match the cabling of the switch, the ports must be set to "In-line Fail-Open" and the ports must be enabled.
To view/configure the settings of your monitoring ports:
a In the Manager interface, select Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup |
Physical Ports | Monitoring Ports.
b Click a numbered port (for example 10A) from Monitoring Ports pane. A pop-up displays current port settings.
c Indicate whether you are using a McAfee Certified module.
d Select the State to Enabled.
e In the Operation section, select Mode as In-line Fail-Open Passive.
f In the same section, select Placement as Inside (internal) or Outside (external).
h Click OK to confirm that you the configuration on port 10B too.
i Repeat for any other ports you need to configure.
j Download the changes to your Sensor by performing the steps in Deploy pending changes to a
device in the McAfee Network Security Platform Manager Administration Guide.
5
Verify proper installation
After the Bypass Switch has been connected to the network and the Sensor, check the switch's LED to verify that the switch is receiving power from the Sensor. Check the port status and operating mode status in the McAfee® Network Security Manager (Manager) interface to ensure that the port is
enabled and is in the In-Line Fail-Open mode. Status LED on the Bypass Switch
The indicator is adjacent to the Control port on the Bypass Switch. Light Status
ON Switch is receiving power from the Sensor and traffic is passing to the Sensor.
OFF The switch is in bypass mode; it is not receiving power and is not passing network traffic to the Sensor.
Port and operating mode status
The port status and operating mode status for GE In-line Fail-open mode are detailed as follows: In-line Fail-Open
Port Status
Port color on the virtual Sensor
Operating Mode Status
In-line Fail-Open Port Status
Green The in-line fail-open device is in in-line fail-open mode.
In-line Bypass Yellow The in-line fail-open device is in in-line bypass mode. The bypass switch has been activated. The Sensor does not monitor during this time.
Unknown Orange Unable to get the status of the in-line fail-open device from Sensor. Check the Operational Status.
In-line Fail-Open Port Status
Port color on the virtual Sensor
Operating Mode Status
Switch Absent Red Fail-open control is not present, control cable is not present, or bypass switch is not present. Verify that all three components are connected properly. If everything is connected correctly, check the Operational Status.
N/A Gray Not Applicable; the operating mode is not in in-line fail-open mode.
If you encounter any problems, see Common Problems and Solutions.
6
Troubleshooting
How does the Bypass Kit work?
During normal Sensor in-line, fail-open operation, the Fail-Open or built-in Control port (depending on which controls the bypass switch) supplies power and a heartbeat signal to the bypass switch. If this signal is not presented within its programmed four-second interval, the Fail-Open bypass switch removes the Sensor from the data path, and moves into bypass mode, providing continuous data flow with little network interruption.
While the Sensor is in bypass mode, traffic passes directly through the switch, bypassing the Sensor. When normal Sensor operation resumes, you may or may not need to manually re-enable the
monitoring ports from the Manager interface, depending on the activity leading up to the Sensor's failure.
The following section describes how to return the Sensor to in-line mode. Moving from bypass mode back to in-line mode
Moving from bypass mode back to in-line mode involves the following: • Manual Sensor reboot
• Sensor error
Manual Sensor reboot
Certain normal Sensor activity involves a reboot, such as installation of a new Sensor software image or a manual reboot issued from the Manager. If the Sensor reboots during normal activity, no manual intervention is necessary. When the switch receives power and a heartbeat signal from the Sensor, it sends traffic through the Sensor and the Sensor resumes monitoring traffic in in-line mode.
Sensor error
If the Sensor reboots due to internal error, hardware failure, removal of the Bypass Switch during normal operation or disruption of the Sensor or Bypass switch cables during Sensor operation, the Monitoring ports connected to the Bypass Switch are automatically disabled. You must re-enable the ports via the Manager to resume monitoring mode. When the ports are re-enabled, the Sensor resumes monitoring traffic in in-line mode.
What happens in a Sensor failure?
When a Sensor fails with the Bypass Kit in place, the following events occur in the order shown.
a The Manager reports a "Sensor in bad health" or "Port pair is in bypass mode" error in the Operational Status pane.
b The Sensor reboots and Bypass Switch begins forwarding traffic. All traffic then bypasses the Sensor and flows across the Bypass Switch with minimal traffic disruption.
A Sensor reboot breaks the link connecting the devices on either side of the Sensor and requires the renegotiation of the network link between the two devices surrounding the Sensor. Depending on the network equipment, this disruption should range from a couple of seconds to more than a minute with certain vendors' devices.
c Upon reboot completion, the Sensor resumes its heartbeat, and one of the following occurs:
1) If the reboot happened during normal activity as described above, the Bypass Switch resumes passing data through the Sensor and the Sensor returns to in-line mode.
2) If the reboot occurred due to an error, the Bypass Switch will continue to bypass the Sensor until the Sensor ports are re-enabled from the Manager.
After the ports are re-enabled, the Bypass Switch resumes passing data through the Sensor and the Sensor returns to in-line mode.
A very brief link disruption might occur while the links are renegotiated to place the Sensor back in in-line mode.
d The errors on the Manager are cleared and normal health is reported. Common Problems and Solutions
This section lists some common installation problems and their solutions.
Problem Possible Cause Solution
LED is off. The control cable has been disconnected
Check the control cable and ensure it is properly connected to both the Sensor and the Bypass Switch.
LED is off. The Sensor is powered off. Restore Sensor power LED is off. The Sensor port cable is
disconnected.
Check the Sensor cable connections.
Sensor is operational, but is not monitoring traffic
Network device cables have been disconnected.
Check the cables and ensure they are properly connected to both the network devices and the Bypass Switch.
Sensor is operational, but is not monitoring traffic.
The Sensor ports have not been enabled in the Manager.
The Sensor will not monitor traffic on the ports unless the ports are enabled in the Manager. Ports are disabled in a Sensor failure; they must be re-enabled for Sensor monitoring to resume.
Problem Possible Cause Solution Network or link
problems.
Improper cabling or port configuration.
Ensure that the transmit and receive cables are properly connected to the Bypass Switch.
Runts or giants errors on switch and routers.
Improper cabling or port configuration.
Ensure that the transmit and receive cables are properly connected to the Bypass Switch.
The system fault "Switch absent" appears in the Manager Operational Status window.
The control cable has been disconnected.
Check the control cable and ensure it is properly connected to both the Sensor and the Bypass Switch.
Copyright © 2014 McAfee, Inc. www.intelsecurity.com
Intel and the Intel logo are trademarks/registered trademarks of Intel Corporation. McAfee and the McAfee logo are trademarks/ registered trademarks of McAfee, Inc. Other names and brands may be claimed as the property of others.
