1 / 8

Bypass Support Feature Overview

Bypass Support Feature Overview. August 2012 Threat Prevention Team. Agenda. 1. Feature Highlights. 2. Feature Description. 3. Installation Overview. 4. 5. Traffic loss scenarios in case of failure. Notes. Feature Highlights.

luce
Download Presentation

Bypass Support Feature Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Bypass SupportFeature Overview August 2012 Threat Prevention Team [Restricted] ONLY for designated groups and individuals

  2. Agenda 1 Feature Highlights 2 Feature Description 3 Installation Overview 4 5 Traffic loss scenarios in case of failure Notes [Restricted] ONLY for designated groups and individuals

  3. Feature Highlights Providing network bypass capabilities upon software or hardware failure Project Goals Target Release Date September 30th 2012, R75.40 on GAIA Related Product 4200 4400 4600 4800 12200 12400 12600 IPS DLP APPI, URLF AB & AV Supported Bypass Cards • 1GbE Copper, 4 port • 1GbE SFP, 4 Port (short and long range) • 10GbE SFP+, 2 Port (short and long range) [Restricted] ONLY for designated groups and individuals

  4. Feature Description • The internal bypass card is to ensure that network traffic continues to flow if the appliance fails or loses power. • This feature is only supported for Gaia in a non-cluster configuration. • Bypass Card Architecture • The appliance enters Bypass Mode if one of the following occurs: • There is a power loss. • The appliance is overloaded, it enters bypass mode for at least 1 minute. • There is a system failure, it enters bypass mode for at least 5 minutes. • The appliance stops responding for 60 seconds. [Restricted] ONLY for designated groups and individuals

  5. Bypass Card Installation Overview • Install the Bypass card in the appliance. • Install the R75.40 bypass hotfix on the appliance. • Use the Gaia WebUI to enable and configure it. • Configure the appliance in SmartDashboard. • Install the policy and reboot the appliance. Specific Installation Instructions will be provided with an SK for this Hotfix. [Restricted] ONLY for designated groups and individuals

  6. Traffic loss scenarios in case of failure When the Bypass card return from fail-open state, there could be a delay of 15-40 seconds before the link is re-established. • The delay is due to Linux Bridge forwarding mechanism to allow STP Protocol (running on Switches) enough time for listening and learning the network topology and block switch ports in case a loop is identified. • This is an expected behavior for Bypass cards solutions. • A possible way to reduce the delay is to configure the switches not use auto negotiation. • There exist some workarounds for the delay (for example disable STP on the interface ports of your switch or enable Port-fast in spanning tree settings). However, this may cause severe impact to network behavior and should be carefully considered.  [Restricted] ONLY for designated groups and individuals

  7. Limitations • Only for non-clustering Environments. • The following features will not be supported: • HTTPS Inspection. • Anti Spam. • Traditional Anti-Virus in proactive mode. • FTP Inspection for DLP SW Blade. • Header Spoofing Protection for IPS SW Blade. If one of the following features is enabled, severe network issues could result. [Restricted] ONLY for designated groups and individuals

  8. Notes • In order to have access to the machine during bypass state, It is required to use the dedicated management interface on the appliance. [Restricted] ONLY for designated groups and individuals

More Related