Installation guide
McAfee® Network Security Platform 6.0
Configuring the ports on each Sensor
bypass kit does not change to bypass mode. Instead, the port pair fails closed and the
redundant link takes over.
The details of optical bypass kits are currently beyond the scope of this document. See the
documentation that accompanies the fail open kits (for example, the
Gigabit Optical Fail-Open
Bypass Kit Guide
, which accompanies the Optical Fail-Open kit).
A caution about active-passive failover
The option to fail one Sensor closed and one Sensor open was intended for use with
active-passive configurations. When the order in which the redundant paths will be used is
known, you can safely configure the Sensor on the primary path to fail closed and the
Sensor on the secondary path to fail open. The result is as follows:
• If the Sensor on the primary path fails, it will force the secondary path to take over,
which will ensure the link remains protected.
• In the unlikely event that the secondary path has become active and the Sensor on it
fails as well, traffic will no longer be scanned, but will continue to flow.
You might prefer to shut down the Internet connection if the traffic on the secondary path
cannot be scanned for intrusions. In this case, you would configure both Sensors to fail
closed.
On a network on which both paths are active, there is no way to predict the order in which
the paths will fail. Configuring a Sensor to fail open in this context would at best negate the
purpose of the Network Security Platform redundancy. Furthermore, if there were
asymmetric flows on the paths, the remaining Sensor would not see all the packets from
those flows and therefore be susceptible to false positives and false negatives.
13