User guide

About High Availability
35
Proventia Network IPS G and GX Appliance User Guide
Note: If you run Proventia Setup when the HA feature is enabled, you cannot modify
network settings.
HA and
SiteProtector
management
You can manage HA through the SiteProtector Agent Manager. You must put both
appliances in an HA configuration in the same SiteProtector group. SiteProtector can then
synchronize appliance updates, including XPUs and policy updates. Each appliance
reports to SiteProtector using a unique ID.
Processing
responses
Both appliances process packets received from all redundant segments, but they only
block attack traffic that arrives on their inline ports when appropriate. Both appliances
report events to the management console at all times. However, they only process
responses for events generated by packets that arrive on inline ports, and report those
events to the Management Console. Appliances process but do not block or report events
generated by traffic that arrives on mirroring ports.
As both appliances see all the traffic at all times, failover time for response processing is
eliminated. Both appliances maintain current state, so if one HA network segment fails,
the other appliance receives all packets on its inline ports, resulting in events being
generated as soon as the network fails over.
Note: A small number of signatures, particularly for sweep attacks, such as Port Scans,
can generate duplicate events, one by each appliance in a clustered configuration.
High availability
modes
In an HA configuration, the appliance can operate in only inline simulation or inline
protection mode. Passive monitoring mode is not supported. When you select an HA
mode, all inline adapters are put in the corresponding adapter mode automatically.
HA does not address the availability or fault-tolerance of the appliances themselves. No
separate high availability solution exists for appliances configured and wired for passive
monitoring mode. You can configure appliances using the following high availability
modes, as indicated in the following table:
Setting Description
HA Simulation mode Both HA partner appliances monitor traffic inline but do not block any
traffic. Instead, both appliances monitor traffic and provide passive
notification responses. The appliances also monitor traffic on each others
segment via mirror links – ready to take over notification in case of network
failover.
HA Protection mode Both HA partner appliances monitor traffic inline, and each report and
block the attacks configured with block response, quarantine response,
and firewall rules. The appliances also monitor traffic on each others
segment via mirror links – ready to take over reporting and protection in
case of network failover.
Table 18: HA appliance modes