Installation guide
C HAPTER 6
Configuring the ports on each Sensor
To function as a failover Pair, the two McAfee
®
Network Security Sensors (Sensors) must
be the same model and have the same Sensor image (Sensor software version).
Previously, you could create Sensor fail-over pair only if all the monitoring ports of the
primary sensor were in Inline mode. Now, you can create Sensor fail-over pairs even if the
monitoring ports are in different operating modes, that is some ports in Inline, some in
SPAN, and some in Tap mode. For example, you can create an I-4010 fail-over pair with
monitoring ports 1A-1B, 2A-2B, 3A-3B and 4A-4B deployed in Inline mode and port 5A
deployed in SPAN mode.
In some Sensor models, a monitoring port is configured for the primary-secondary
heartbeat. In such cases, the peer monitoring port is disabled. For example, in I-2700,
monitoring port 4A is used for the heartbeat and when you create the failover pair, port 4B
is disabled.
Note that the port deployment modes of both the primary and secondary Sensors must be
the same. For example, if port 5A is deployed in SPAN mode in the primary then 5A of the
secondary must be deployed in SPAN mode as well.
Figure 4: Sensors - Failover Pairs tab
By design, there will always be a certain amount of independence among the Sensors. For
example, the solution must be flexible enough to handle a network on which a primary
path runs at 100 Mbps full duplex, but the secondary path runs at only 10 Mbps half
duplex.
This is the proper time to configure each port pair to fail open or closed. In previous
Network Security Platform versions, you could only configure each Sensor in a failover
Pair to fail closed. Now, you can configure one Sensor to fail closed and the second to fail
open.
Note: There is no special requirement for a minimum Sensor software version to be
able to configure one Sensor to fail closed and the other to fail open.
You can configure both the port speed and operating mode from the Configure Ports page
of the user interface:
11