Revision F McAfee Network Security Platform · McAfee Network Security Platform IPS Sensors, ... module IAC-AFOCG-KT2 ... Connects the fail-open switch to a computer to access the

McAfee Network Security Platform IPS Sensors, when deployed in-line, route all incoming traffic through adesignated port pair. However, at times a Sensor might need to be turned off for maintenance or its ports can godown because of an outage. At times like this, you might want to continue allowing traffic to pass through withoutinterruption. For such requirements, you can consider an external device called a fail-open switch. The fail-openswitch can either be an active fail-open switch or a passive fail-open switch.

An active fail-open switch constantly monitors Sensor state. It does this by sending a heartbeat signal through itsports. The heartbeat signal is sent through the one of the Monitor ports and received through the other, indicatingthat the Sensor is functioning normally.

The table below shows you the various models of active fail-open switches.

Fail-open switch SKU NS9x00 NS7x00/NS7x50

NS5x00 NS3x00 M-8000,M-6050

M-4050,M-3050

M-2950,M-2850

Active-Fiber (850nm)10G (62.5 µm)

IAC-AF85010-KT1

Yes Yes Yes(supportedon G0 only)

No Yes Yes No

Active-Fiber (1310nm)10G (8.5 µm)

IAC-AF131010-KT1

Yes Yes Yes(supportedon G0 only)

No Yes Yes No

Active-Fiber (850nm)1G (62.5 µm)

IAC-AF85062-KT1

Yes Yes Yes No Yes Yes Yes

Active-Fiber (1310nm)1G (8.5 µm)

IAC-AF131085-KT1

Yes Yes Yes No Yes Yes Yes

Active-Copper10/100/1000module

IAC-AFOCG-KT2

Yes Yes Yes Yes Yes Yes Yes

Active Fail-OpenChassis

IAC-AFOCH-KT2

Yes Yes Yes Yes Yes Yes Yes

Active Fail-Open Kit Quick Start GuideRevision F

McAfee Network Security Platform

1

You must also make sure you have the requisite SFP/SFP+'s, or XFPs when making this choice.

Fiber fail-open switches consist of two types: single mode and multi-mode fibers. The table below gives you somerelevant details about both types of fiber optic fail-open switches. This is especially relevant because you mustdetermine the type of fiber that is used your organization network before you decide which type of fail-open switchto use. Also, all product documentation for fail-open kits and decals on the fail-open switches will repeatedly refer tothese parameters. The table below shows you the differences between single-mode and multi-mode fiberspecifications.

Type Fiber thickness Wavelength range

Single mode (Long reach) 8.5 µm 1300 nm to 1550 nm

Multi-mode (Short reach) 50 µm or 62.5 µm 850 nm to 1300 nm

For more details about fail-open kits, refer the chapter, Fail-Open operation in Sensors in the McAfeeNetwork Security Platform IPS Administration Guide. Since this Quick Start Guide will make references toinformation associated with that chapter, it will help to keep a copy of it easily accessible before you begininstalling and configuring your fail-open switch.

Working

To begin with, the Sensor and the fail-open switch need to be appropriately cabled with each other. The Sensorports are then configured for fail-open operation. For more details about configuring Sensor monitoring ports, referto the section, Configure Sensor Monitoring Ports on page 11.

After connecting and configuring the Sensor and fail-open switch, the switch begins to send a heartbeat signal tothe Sensor. Each heartbeat signal, once sent, returns from the Sensor to the fail-open switch. When the fail-openswitch does not receive this response from the Sensor for a specified period, the switch removes the Sensor fromthe data path and begins to route traffic to the network through its own ports.

A 1G fiber or a Copper fail-open switch sends a heartbeat signal every second. When the fail-open switch does notreceive a response for 3 seconds, it changes its working mode to "unknown" and begins to route traffic throughitself.

A 10G fiber fail-open switch sends a heartbeat signal every 10 milliseconds (ms). If the fail-open switch does notreceive a response from the Sensor for 100 ms, it removes the Sensor from the data path and begins to route trafficthrough its own ports.

1 Inside the box

Every fail-open kit consists of a similar set of components. Although the type of cables and the switch varyfrom one model to another, the list of items in the kit itself remains the same. The table below provides youthe list of items.

2

Qty Item Description

1 Fail-Open switch module • 10/100/1000 Copper fail-open module, or

• 1G 850 nm Fiber (62.5 µm) fail-open module, or

• 1G 1310 nm Fiber (8.5 µm) fail-open module, or

• 10G 850 nm Fiber (62.5 µm) fail-open module, or

• 10G 1310 nm Fiber (8.5 µm) fail-open module

2 Power supplies and cordsfor the host system

One power supply acts as the primary and the other as the redundantpower supply in case of a failure

4 Copper: 3m RJ-45 to RJ-45cableFiber: 3m LC-LC

Connects the fail-open switch to network devices and the Sensor.

For a fiber fail-open kit, these cables will either be single mode ormulti-mode cables depending on the requirements provided at thetime of purchase.

1 RS232 RJ-11 programmingcable

Connects the fail-open switch to a computer to access the switch CLI that isused to configure switch parameters.

The Active Fail-Open switch chassis is not shipped with the box. You have to purchase a 1RU hosthardware to plug in up to four fail-open switches in a standard rack.

2 Install the active fail-open switch and chassis

Before you begin

• Make sure you have purchased the Active Fail-Open switch chassis.

• Identify the rack in which you plan to install the fail-open chassis.

• If you are using a physical Sensor, make sure that you are able to physically connect thechassis with the monitoring ports.

3

You can install up to four fail-open switches in a single chassis.

You can install an active fail-open switch module in the chassis on the fly while the chassis ispowered on in the rack.

a Install the ears of the chassis.

b Slide the switch into one of the openings in the chassis, until the face plate of the switch rests against thechassis.

c Secure the switch to the chassis by inserting screws provided through the holes on the fail-open switchface plate and into the panel.

If you are attempting to install a switch while the chassis is powered on, you must wait for 4seconds after inserting the switch and fastening its screws.

d Place the 1U chassis against the front of a standard 19-inch rack.

e Secure the chassis by inserting screws through holes on ears of the chassis (refer the Before you begininstructions for this section).

f (Optional) Install up to three additional switches by following these steps:

a Remove screws holding each of the removable blank plates from the front of the chassis.

b Follow steps 1 and 2 of this procedure for installing a switch in the chassis for additional fail-openswitches.

The fail-open switch is ready to be connected to a Sensor.

3 Remove an active fail-open switch from the chassis

Before you begin

You must make sure the fail-open switch is fully powered off before you attempt to remove it fromthe chassis.

4

Follow the steps in this section to power off and remove the fail-open switch.

a Power off the fail-open switch using the web interface or CLI command prompt.

• If you are using the web interface, click the Rescue tab and check the Power Off checkbox in the SystemRestore section. To access the web interface, refer Manage the fail-open switch through a webinterface on page 12.

• If you are using the CLI command prompt, type power_off and press Enter. To access the CLIcommand prompt, refer Configure fail-open switch parameters on page 8.

b When the fail-open switch is powered off, remove the captive screws and slide it out of the chassis.

4 Connections with the fail-open switch

To accurately detect attacks, a Sensor must be aware of which traffic is outside the network and which traffic isinside. Identifying traffic direction is accomplished through the proper cabling of the fail-open switch as wellas appropriate port configuration of the Sensor monitoring ports in the Manager. The switch LED indicates iftraffic is passing to the Sensor.

5

Connect the fail-open switch to network devices

Callout Description

1 10/100/1000 Copper fail-open switch module

2 Connection to network device (inside)

3 Connection to network device (outside)

4 Sensor monitoring port G3/1 (inside)

5 Sensor monitoring port G3/2 (outside)

6 Sensor monitoring ports on an NS9200.

The steps below provide steps for connections for both copper and fiber fail-open switches.

a Plug the inside network cable connector into the Cat 5/Cat 5e/LC port, labeled Network 0 or Net 0 for copperor Network A (in a triangle) for fiber, on the fail-open switch.

b Plug the other end of this cable to the corresponding network device.

c Plug the outside network cable connector into the Cat 5/Cat 5e/LC port, labeled Network 1 or Net 1 forcopper or Network B (in a triangle) for fiber, on the fail-open switch.

d Plug the other end of this cable to the corresponding network device.

The fail-open switch is now connected to network devices for the inside network and outside network. Yournext step is to connect the fail-open switch to the Sensor.

6

(Either) Connect a copper fail-open switch

Before you begin

• You will require two Cat 5/Cat 5e Ethernet cables to connect your fail-open switch to theSensor.

• You will require two copper SFPs to be inserted into two corresponding blank ports on theSensor.

For more details about your Sensor, refer the Sensor Product Guide for theappropriate model.

a Connect a Cat 5/Cat 5e Ethernet cable (inside) into the copper SFP in port Gx/a or xA, where x and a areport numbers.

b Connect the other end of the cable into the labeled Port 0 on the fail-open switch.

c Connect a Cat 5/Cat 5e Ethernet cable (outside) into the corresponding Gx/b or xB peer port.(For example,if you used G1/1 in step 1, plug the cable into port G1/2).

d Connect the other end of the cable into the labeled Port 1 of the bypass switch.

With this cable configuration, Sensor Monitoring port G1/1 views traffic as originating inside the network, andport G1/2 views traffic as originating outside the network. Note that this configuration (G1/1 = outside, G1/2 =inside) must match the port configuration specified for this Sensor, and that the ports must be configured assuch.

(Or) Connect a fiber fail-open switch

Before you begin

• You will require two LC-LC cables to connect your fail-open switch to the Sensor.

• If you are connecting a 1-Gigabit fail-open switch, you will require two fiber SFPs to be insertedinto two corresponding blank ports on the Sensor.

• If you are connecting a 10-Gigabit fail-open switch, you will require two fiber XFP/SFP+s to beinserted into two corresponding blank ports on the Sensor.

For more details about the SFP/XFP/SFP+ compatible with your Sensor, refer theSensor Product Guide for the appropriate model.

a Connect an LC-LC cable into the LC receptacle of port Gx/a or xA, where x and a are the corresponding1-Gigabit or 10-Gigabit port numbers.

b Connect the other end of the LC cable into the LC receptacle labeled Monitor A of the fail-open switch.

c Connect an LC-LC cable into the corresponding Gx/b or xB peer port. (For example, if you used G1/3 in step1, plug the cable into port G1/4).

d Connect the other end of this cable into the port labeled Monitor B of the fail-open switch.

With this cable configuration, Sensor Monitoring port G1/3 views traffic as originating inside the network, andport G1/4 views traffic as originating outside the network. Note that this configuration (G1/3 = outside, G1/4 =

7

inside) must match the port configuration specified for this Sensor, and that the ports must be configured assuch.

5 Configure fail-open switch parameters

You can configure various parameters on your fail-open switch. All configuration options, status, and statisticsare accessible from the fail-open switch Command Line Interface (CLI). After you have configured basicnetwork settings – IP address, gateway, and subnet mask – you will be able to access the fail-open switchthrough SSH. SSH is enabled on every fail-open switch by default and can be disabled through the CLI.

Your fail-open switch only supports IPv4 addresses.

The steps below explain the configuration of parameters for your fail-open switch.

a Connect an RJ-11 cable to the front of the module.

b Connect the other end to a computer running a terminal emulation software such as HyperTerminal orPuTTY.

c Launch the terminal emulation software, and set the communications parameters as shown below:

• Baud rate: 9600

It is recommended not to alter the baud rate of the Management port.

• Data bits: 8

• Parity: None

• Stop bits: 1

• Flow control: None

d Power up the fail-open switch.

The CLI banner and login prompt appear.

e At the login prompt, type McAfee00 and press Enter.

f At the password prompt, type McAfee00 and press Enter.

The fail-open switch CLI prompt appears.

g Configure or modify parameters related to fail-open switch access and its ports using the commandslisted.

8

Command Description

set_ip xxx.xxx.xxx.xxx Configures fail-open switch IPv4 address.Reboot the fail-open switch for the new IPv4 address to take effect.

set_netmaskxxx.xxx.xxx.xxx

Configures fail-open switch subnet mask.Reboot the fail-open switch for the new subnet mask to take effect.

set_gatewayxxx.xxx.xxx.xxx

Configures default gateway IPv4 address.Reboot the fail-open switch for the new gateway IPv4 address to takeeffect.

set_link <port> <on/off>

Sets the port of a 1G Copper fail-open switch to auto-negotiate.For the <port> use mon0, mon1, net0, or net1.

set_link <port> off fd100m

Sets the port to 100 Mbps full-duplex.For the <port> use the syntaxes specified above.

set_link <port><enable/disable>_autoneg

Sets the port of a 1G Fiber fail-open switch to auto-negotiate.For the <port> use mon0, mon1, net0, or net1.

10G Fiber fail-open switches do not have such a commandsince auto-negotiate is enabled by default.

h Configure or modify parameters for other settings of the fail-open switch using these commands.

Command Description

set_ssh_state <on/off> Enables or disables the SSH status on the fail-open switch.

set_web_https_state <on/off>

Enables or disables web access to the fail-open switch interface.

set_snmp_srv_ip Configures SNMP server IPv4 address.The SNMP server IPv4 address can also be set in the web interface.

set_trap <parameter> <on/off>

Enables or disables the following SNMP traps:

• appl fail – Applicationstate change.

• net link – Network portstate change trap.

• bypass – Bypass statechange trap.

• error – Error notificationtrap.

• mon link – Monitoringport state change trap.

• update – Updatecomplete trap.

i View essential fail-open switch parameters using the commands listed. If your fail-open switchparameters have never been configured before, you will see factory settings.

9

Command Description

get_ip Displays fail-open switch IPv4 address.

get_netmask Displays fail-open switch subnet mask.

get_gateway Displays default gateway address.

get_ssh_state Displays the SSH status, which is enabled by default.

get_snmp_srv_ip Displays the SNMP server IPv4 address.

get_params Displays fail-open switch parameters.

get_web_https_state Displays status of web access to the fail-open switch interface.

get_link <port> Displays port status.For the <port> use mon0, mon1, net0, or net1.

Reset the password

If you have forgotten the password and do not know the correct password in the login prompt, perform thefollowing steps to reset the password.

a On the fail-open switch, press the PB1 push button for 3 seconds to enter the main menu seen in thedisplay panel.

b Do a short press on the PB0 push button to move to the next sub-menu in the list.

Perform this step till you move to the OP sub-menu.

c Push the PB1 push button with a short press to select and view the options in the OP sub-menu.

d Do a short press on the PB0 push button to move to the next option in the OP sub-menu.

Perform this step till you move to the DEFAULT option.

e Push the PB1 push button with a short press to select the DEFAULT option.

When the option DEFAULT is selected, it sets the default factory parameters.

In the display panel, you can view small lines ( _ _ _ _ _ ) which indicates that default factory parameters aresuccessfully set. As a result, the password is also reset to the default password.

10

6 Configure Sensor Monitoring Ports

Before you begin

• The Sensor must be set up with trust established with a Manager server.

• The Sensor has a free port pair which can be deployed in in-line fail-open mode.

• It is assumed that you have inserted necessary transceiver modules into the Sensor if youhave completed cabling the Sensor and fail-open switch.

When you set up a Sensor for the first time, its ports are disabled by default. The Sensor ports must bemanually configured for in-line fail-open operation.

a In the Manager, go to Devices | <Admin_Domain_Name> | Devices | <Device_Name> | Setup | Physical Ports.

b Double-click port one of the configurable ports, say G2/1.

A configuration panel appears on the right side of the window.

c Click the State drop-down and select Enabled.

You are asked whether you want to proceed since this configuration will also impact port G2/2.

d Click Yes to proceed.

This enables port G2/1-G2/2.

e Select the Auto Negotiate checkbox and make sure the Speed (Duplex) is set to 1 Gbps (Full).

f Click the Mode drop-down and select In-line Fail-Open – Active.

g Click the Placement drop-down and select Inside Network or Outside Network, depending on how you want toconfigure your ports.

McAfee recommends choosing Gx/1 or xA as Inside Network and Gx/2 or xB as Outside Network.

h Click Save.

11

The Sensor and fail-open switch are setup. When traffic passes through the ports, you will notice the port linkstatus changes to Up and turns green.

7 Manage the fail-open switch through a web interface

If you have configured an IPv4 address for your fail-open switch, you have the option to manage yourfail-open switch through a web-interface.

a To access the fail-open switch web interface, enter the IPv4 address of the fail-open switch which youhave configured.

The fail-open switch web interface appears on the log on screen.

b To log on, enter the default username and password, McAfee00 and McAfee00.

You are routed to the fail-open web interface landing page which shows you information about the presentsettings configured in the fail-open switch. Configuration of necessary settings is explained in the relevantsections.

8 Enable tap mode for the fail-open switch

Before you begin

• Configure an IPv4 address for your fail-open switch.

• Make sure you can access the fail-open switch web-interface using a web browser.

You are able to enable tap mode for your active fail-open switch if you use a tap to route network traffic to theSensor Monitoring ports.

a Log on to the web interface of the active fail-open switch.

Use default credentials to access the web interface. For more information about the web interface refer Manage the fail-open switch through a web interface on page 12.

b Click the Bypass tab to access the Bypass configuration page.

c Click the HB active mode drop down menu and select Off.

12

d In the Active bypass section, select tap.

e Click Apply to save your configuration.

You have set your active fail-open to tap mode of operation.

Return from tap mode to inline mode

a Click the Bypass tab to access the bypass configuration page.

b Click the HB Active mode drop-down menu and select On.

c Click Apply to save your configuration.

You have reconfigured your fail-open switch to run in inline mode of operation.

9 Configure notification by SNMP traps

Before you begin

• To configure SNMP traps, you will require a server that will act as an SNMP server. The SNMPserver can be any Windows or Linux system installed with an MIB browser such as iReasoning.

• Make sure your fail-open switch IP address can be reached within the network.

13

• Make sure your SNMP server and fail-open switch are able to communicate.

• In addition, you will need to obtain MIB files to decode alert codes sent by the fail-open switch.These files are specific to the fail-open switch and can be obtained by clicking on the followinglink, KB86247.

The SNMP feature of your fail-open switch can only be used to send notifications through SNMPtraps.

a Connect an RJ-45 cable to the Management port at the back of the fail-open switch.

b Connect the other end to a network device so that the SNMP server is reachable through the network.

c Copy the fail-open switch MIB files to a suitable location on the SNMP server.

d Set up the fail-open switch IP address, network mask, and SNMP manager IP address by logging on to theweb interface. For details about the logging on to the web interface refer Manage the fail-open switchthrough a web interface on page 12.

You are also able to configure various other parameters specific to SNMP traps. For detailsabout these commands, refer Configure fail-open switch parameters on page 8.

e On the web interface, click the SNMP tab.

The SNMP configuration page appears.

f To configure the SNMP server IPv4 address, enter it in the Server IP field.

The credentials used will be the default credentials for the fail-open switch.

14

g (Optional) If you want to configure multiple SNMP accounts, in the SNMP trap account section select set fromthe Operations drop-down.

If you do not configure additional SNMP trap accounts, all traps will be routed to the mainSNMP trap account you have setup here.

h Enter the IPv4 address for the other account.

i (Optional) You can specify an alternate SNMPv3 password for the additional SNMP server.

SNMP Community strings are used only by devices which support SNMPv1 and SNMPv2cprotocols. SNMPv3 uses username and password authentication, along with an encryption key.You can configure a community string if the SNMP software you use requires you to configureone regardless of the requirements in this user-interface.

j Click Apply to save your configuration.

k In the SNMP server, configure these settings to enable SNMPv3 traps for the active fail-open kit.

• USM user: McAfee00 • Auth password: McAfee00

• Security level: auth, priv • Privacy algorithm: AES

• Auth algorithm: SHA • Privacy password: McAfee00

l Load MIB file. If you do not have the appropriate MIB file, contact McAfee Support.

m Make sure the SNMP server and fail-open switch are able to communicate through the network.

You have configured your active fail-open switch to send SNMP traps to an SNMP server. You are alsoprovided the option to configure multiple SNMP trap accounts. Access the SNMP server to view triggers.

10 Verify your installation

Follow these steps to make sure your setup is working as designed.

a Check the icons in the Manager beside the ports you have configure as in-line fail-open passive.

They must show Up.

b Check the Bypass LED on the Sensor.

LED status Description

ON The Sensor is in inline fail-open, inline fail-closed, SPAN, or TAP mode.

OFF The Sensor is in bypass mode.

c Check the PWR LEDs on the chassis.

15

Depending on which power source you use, you will see that PWR LED glowing.

d Check the port status and operating mode status of the GE in-line fail-open ports.

The picture below shows you the fail-open switch in normal mode since the Sensor ports are operatingnormally. When the fail-open switch in bypass mode since the Sensor ports have gone down.

Item Description

NRM Glows green when the Sensor is in normal mode of operation.

WDT Indicates watch dog timer. The Watch Dog Timer LED always blinks amber, whether the fail-openswitch is in normal or bypass mode.The blink indicates that the heartbeat pulse is being sent through the fail-open connection. Thewatchdog timer is always blinking, even when the fail-open switch is bypassing the Sensor,because it is always sending and listening for the correct heartbeat state from the Sensormonitoring ports.

BYP Glows red when fail-open switch is in bypass mode of operation.

11 Troubleshooting

During normal in-line fail-open operation of the Sensor, fail-open switch constantly sends a heartbeat signal tothe Sensor. If this signal does not return to the fail-open switch within a programmed interval, the fail-openswitch removes the Sensor from the data path, and moves into bypass mode, providing continuous data flowwith little network interruption.

While the fail-open switch is in bypass mode, traffic passes directly through it, bypassing the Sensor.

When normal Sensor operation resumes, you might or might not need to manually re-enable the monitoringports from the Manager interface, depending on the activity leading up to the Sensor's failure.

The following section describes how to return the Sensor to in-line mode.

16

What happens when a Sensor fails?

When a Sensor fails with a fail-open switch in place, the following events occur in the stated order.

• The Manager reports a Sensor in bad health or Port pair is in bypass mode error in the System Health pane.

• The Sensor reboots and the fail-open switch begins forwarding traffic. All traffic now bypasses the Sensorand flows through the fail-open switch with minimal traffic disruption.

A Sensor reboot breaks the link connecting the devices on either side of the Sensor andrequires the renegotiation of the network link between the two devices surrounding theSensor. Depending on the network equipment, this disruption ranges from a couple of secondsto more than a minute with certain vendors' devices.

• Upon reboot completion, the Sensor resumes its heartbeat, and one of the following occurs:

• If the reboot occurred during normal operation as described, the fail-open switch resumes passingdata through the Sensor and the Sensor returns to in-line fail-open mode.

• If the reboot occurred due to an error, the fail-open switch continues to bypass the Sensor until theadministrator manually re-enables Sensor ports in the Manager.

After the ports are re-enabled, the fail-open switch resumes passing data through the Sensor andthe Sensor returns to in-line mode.

A brief link disruption is likely to occur while the links are renegotiated to place the Sensorback in in-line mode.

• The errors on the Manager disappear and normal health is reported.

Common problems and solutions

This section lists some common installation problems and their solutions.

Problem Possible Cause Solution

Network or link problems. Improper cabling or portconfiguration.

Ensure that the transmit and receive cables areproperly connected to the fail-open switch.

Sensor LED is off. The Sensor is turned off.The Sensor port cable isdisconnected.

Restore Sensor power.Check the Sensor cable connections.

Sensor is operational, but isnot monitoring traffic.

Network device cables havebeen disconnected.The Sensor ports have notbeen enabled in the Sensor.

Check the cables and ensure that they areproperly connected to both the networkdevices and the fail-open switch.Ports are disabled on a Sensor failure; theymust be re-enabled in the Manager for theSensor monitoring to resume.

Runts or giants errors onswitch and routers.

Improper cabling or portconfiguration.

Ensure that the transmit and receive cables areproperly connected to the fail-open switch.

The system fault “Switchabsent” appears on theOperational Status page of theManager.

Improper cabling. Ensure that the transmit and receive cables areproperly connected to the fail-open switch.

17

18

19

Copyright © 2017 McAfee, LLC

McAfee and the McAfee logo are trademarks or registered trademarks of McAfee, LLC or its subsidiaries in the US and other countries. Othermarks and brands may be claimed as the property of others.

20 700-4420F00